78cbf1bbe122df68d303ad0add47c62ab718ce0bbc523611ead846498bea2fb3

General

Target

06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe
Size

72KB
MD5

06d54368772ebec0539d23fa33a65487
SHA1

98a34e77f8ee09288c0318edfd8df6116baf95b5
SHA256

78cbf1bbe122df68d303ad0add47c62ab718ce0bbc523611ead846498bea2fb3
SHA512

f2f36e43cb235dded8024fb2704cc7d699e00bece3aa1d2ac639ab4f8025bdb3287d536c7ff0df5e0edd04da3a75c441e6b18ce02e8d090d51eb49e2aca0b096
SSDEEP

1536:IMyGmMgX7/0XEbtYjMrEl/EFSQKuGm7HmTY4UC1Sp328:IMylMgrBYcvFjK1UHQJUC178

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	1708	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	276	rundll32.exe
Token: SeRestorePrivilege	276	rundll32.exe
Token: SeRestorePrivilege	276	rundll32.exe
Token: SeRestorePrivilege	276	rundll32.exe
Token: SeRestorePrivilege	276	rundll32.exe
Token: SeRestorePrivilege	276	rundll32.exe
Token: SeRestorePrivilege	276	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2040	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	31
PID 1708 wrote to memory of 2040	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	31
PID 1708 wrote to memory of 2040	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	31
PID 1708 wrote to memory of 2040	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	31
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 2040 wrote to memory of 276	2040	cmd.exe	34
PID 276 wrote to memory of 2424	276	rundll32.exe	35
PID 276 wrote to memory of 2424	276	rundll32.exe	35
PID 276 wrote to memory of 2424	276	rundll32.exe	35
PID 276 wrote to memory of 2424	276	rundll32.exe	35
PID 2424 wrote to memory of 2720	2424	runonce.exe	36
PID 2424 wrote to memory of 2720	2424	runonce.exe	36
PID 2424 wrote to memory of 2720	2424	runonce.exe	36
PID 2424 wrote to memory of 2720	2424	runonce.exe	36
PID 1708 wrote to memory of 2620	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	38
PID 1708 wrote to memory of 2620	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	38
PID 1708 wrote to memory of 2620	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	38
PID 1708 wrote to memory of 2620	1708	06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06d54368772ebec0539d23fa33a65487_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c _wpcap_.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 796
  2⤵
  - Program crash
  PID:2620

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_wpcap_.bat

Filesize
160B

MD5
365188a3a0097c5588ef3e4bb899e236

SHA1
bf9b4b7bc0675dad65739b4a3f43d82358e30c88

SHA256
ee93814361a51ba25ff77a9c1d990d210c466ad7de61afec7944287976425f4f

SHA512
351e09f1b0594799f085172eb65f9eed0e587f490d08ed1b8c8dace8bf0aadab74a1ba542ce9e4d368d4236f1057a7b0400ab27f2b4753cdbda4d63af3dfca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf

Filesize
217B

MD5
f25ec42aef4ef70963f01af7d9cffd96

SHA1
e600676c30bdcbb79b5e1dee23a078d9e4756157

SHA256
0f0dc821a78931b644a6a7a805aec8e50b1301ea4a0ae8844503735814ae3074

SHA512
3118a648bc46feacea3a9386bf149aeb6e62dc75dbec5eb8bb3ede69bfb7c665881b2f8fb474e76659a0e86b252b8dc531499bfed9993b78ac3930d12b0c7e81

Download Submit
memory/1708-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-1-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/1708-2-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1708-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-17-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/1708-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads