a31a9747fae1a12192403397ab01d71e0a71cb7bdd65b17812bbac3629f283b0

General

Target

115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Size

407KB
MD5

115364abbc910e87f98ca4f3a4cd47e3
SHA1

e95aae1d51b904391d33263a683609d01925f457
SHA256

a31a9747fae1a12192403397ab01d71e0a71cb7bdd65b17812bbac3629f283b0
SHA512

89087f84f3ceaa7b0f3bebefbe165f0cc6bb2f16622ed1758e42b7e8606ad7f1885b8a9deae7c6bf417b0bbe8bafcedbc5e84ded94b1913bb4d520feee46b182
SSDEEP

12288:7K+yZqQgpbXK8IY+2CGEAN2Ah0s0/5QSSSlE:7K+ywjbJxZL9h0sY5QBSl

Score

10^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe:*:Enabled:@xpsp2res.dll,-22019"	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4584	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4584	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
4584	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93
PID 2488 wrote to memory of 4584	2488	115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\115364abbc910e87f98ca4f3a4cd47e3_JaffaCakes118.exe
  2⤵
  - Modifies firewall policy service
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4584

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv dTbutRrXikK8SU/KlAvw+w.0
1⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4584-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-11-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads