2c483e46aa4e15932d06bbbd39fc67e6548c864ba248e59b6d3bd2a8801e4b0a

General

Target

fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe
Size

346KB
MD5

fd093c1edd9a2092e89493a0661bac0c
SHA1

49ab55ccd8ead7c293335ab80acd65bf0ccfdfec
SHA256

2c483e46aa4e15932d06bbbd39fc67e6548c864ba248e59b6d3bd2a8801e4b0a
SHA512

994961ae7095c1946d38fc48eeae78f91857f4ff8ff037b24be640ba2291bccde9cd6658c95776c20d0d9551512bf198b96114bddbda4a99dc33d234da6a3feb
SSDEEP

6144:vSncRlDRYyhtBJVszzjdgi6T7yFLro08gFVrvmnVW5GJZ2tNYLj8MfsPJe/Grdn4:K45fT3VUVFLB/FVSVzYKj86sPwMd4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE
2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe

Loads dropped DLL 3 IoCs

pid	Process
1968	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe
1968	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe
2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe
2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2428	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2180	1968	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2180	1968	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2180	1968	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2180	1968	fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2180 wrote to memory of 2832	2180	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE	32
PID 2832 wrote to memory of 1108	2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe	20
PID 2832 wrote to memory of 1108	2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe	20
PID 2832 wrote to memory of 1108	2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe	20
PID 2832 wrote to memory of 1108	2832	PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd093c1edd9a2092e89493a0661bac0c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE
    "C:\Users\Admin\AppData\Local\Temp\PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe
      C:\Users\Admin\AppData\Local\Temp\PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2832

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMAGES.JPEG

Filesize
5KB

MD5
6a39d6a49ac95d2f47135c9c8aa7392f

SHA1
83e4180ff008f05b3d2ed68614f3c081037fef82

SHA256
e06281c8f0d87afcd5b5877daf5bf31935021f80df0a0f7ff5bf7d1ed9a0ba41

SHA512
2429014652e4f4e39b347e647761a82a0efd4670ad940d07825fc9cec3ec401ed0589807ffc5164ded978e4d77b91d4c7caab63de1aaf9aeca89dd83c22fd73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHOTO_BIG_TITS_2011HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT.EXE

Filesize
287KB

MD5
cd9bd7b10fcfad50aee3e8e4eb5d7c49

SHA1
0de771d59a0bbbe56378ff608e24f4e784e662d1

SHA256
45f4b700f29796b5be51f086f1df2feb41a336a7b0f33c174c103d238e503c1e

SHA512
99928cfa637b386ea31b8b3bcddbc3e665dfd75466514f3b6496aa363d7eecfbbabe660c8689ad655b906ff298a02ac8b1eec63ddf990cb50ea28625ed4f752c

Download Submit
memory/1108-42-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1968-41-0x0000000002970000-0x0000000002A33000-memory.dmp

Filesize
780KB

Download
memory/1968-1-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/1968-12-0x0000000002970000-0x0000000002A33000-memory.dmp

Filesize
780KB

Download
memory/2180-28-0x0000000000401000-0x000000000044A000-memory.dmp

Filesize
292KB

Download
memory/2180-25-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/2180-16-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2180-15-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2180-18-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2180-19-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2180-24-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/2180-21-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/2180-20-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2180-27-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2180-26-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2180-17-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2180-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2180-38-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2180-35-0x00000000027F0000-0x00000000028B3000-memory.dmp

Filesize
780KB

Download
memory/2428-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2428-40-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2428-2-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2832-36-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/2832-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2832-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2832-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads