b1b7526eca4e6e3fb457ee3786b8bb8266d359ea7f3e8a774230b82c8338b2a1

General

Target

2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe
Size

173KB
MD5

2ec52fafa581bb2cdd9036ac207488d5
SHA1

992330db478393a0556ebaa9f25806935f7795cb
SHA256

b1b7526eca4e6e3fb457ee3786b8bb8266d359ea7f3e8a774230b82c8338b2a1
SHA512

6b487b4b3448f2cbf0aa1c9365f3e6512c2c5193de9e47a363c8547ab63b1e1b380f9d66d7f3fce62b4aac5989a298a1781ea78018f29d2a38daa5a8e40c28ae
SSDEEP

3072:H0Gu9BlfzWIbXWW+w0JP5JsD+LIz6mgYPMukLXi8rzJDQlhuPbdl:U/0uYhBuyXzZQlh2f

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\JbOiyiXi.dll	2.exe
File created	C:\Windows\system32\drivers\etc\GVgtw78yP8.del	2.exe
File created	C:\Windows\system32\drivers\etc\GVgtw78yP8.ini	2.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRAT_Service\Parameters\ServiceDLL = "C:\\Windows\\system32\\drivers\\etc\\JbOiyiXi.dll"	2.exe

Executes dropped EXE 2 IoCs

pid	Process
1932	5.exe
2520	2.exe

Loads dropped DLL 7 IoCs

pid	Process
2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe
2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe
1932	5.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2764	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2064	1932	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	svchost.exe
2764	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1932	2976	2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2520	1932	5.exe	31
PID 1932 wrote to memory of 2064	1932	5.exe	32
PID 1932 wrote to memory of 2064	1932	5.exe	32
PID 1932 wrote to memory of 2064	1932	5.exe	32
PID 1932 wrote to memory of 2064	1932	5.exe	32
PID 1932 wrote to memory of 2064	1932	5.exe	32
PID 1932 wrote to memory of 2064	1932	5.exe	32
PID 1932 wrote to memory of 2064	1932	5.exe	32

C:\Users\Admin\AppData\Local\Temp\2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ec52fafa581bb2cdd9036ac207488d5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\2.exe
    "C:\2.exe"
    3⤵
    - Drops file in Drivers directory
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 316
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.exe

Filesize
166KB

MD5
99b3f9610ebd9d3a6cd970ee7cebee63

SHA1
4c723bd84e3ed3f4d599dae03581465f37e2d972

SHA256
86a330ea607e3e17f23b4c11a24c84eb9283b3667e86cb9338f3f950de42cfa2

SHA512
856f63469f38071b942d445a8695b0d0fa204b60a29b405d847fc0255dfc67ed0a342045073f6622ba2afaddde40b0db74370b52c9ce3d39826ec3017dac4c51

Download Submit
C:\Windows\system32\drivers\etc\GVgtw78yP8.del

Filesize
10B

MD5
553fac847804112dcf1933ae7c6d8ef0

SHA1
56e0bba4a530e808e6c9b4fbddfcb964dadcc91e

SHA256
6b89b6042ed28d8b136551c32535e1c361c3f38b131dc2a46e6c57b3d983591f

SHA512
814726317673c5eb3415721370bad837c966cfd9fe791b167c702d110e0365dadd51fd7b355a1ca4b3e48bc7ca0dbd205b7423844bd4c3ff88b1ed6a6417ffb9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
140KB

MD5
c237cbd4ac471d31dc67c28c6d592c4c

SHA1
6f2cbdc55b3fa6e2c8318ad9685fca7e7cb40744

SHA256
ea6a4e7b0fa4403d980799396163392f880a38c19817354be0dcd7c2f244c8ba

SHA512
de4ede2cb82e57dacbc63c7151b22c5ad15f1072f2c228ab856f43f7dd8a857321b2aa760cdea286675a70141a39624a7b911fc61196efc3015b1aa2afa1b54e

Download Submit
\Windows\System32\drivers\etc\JbOiyiXi.dll

Filesize
144KB

MD5
2b7dbd0b6269d5341a8e088274689231

SHA1
9357ad8195e04e875931b05f762ffa79e2865fde

SHA256
65f11fef4681eeeae015c0171cba37e664255834e2b2403efacc46799d719c35

SHA512
2b0fdeb8aaaae1d4befa6bd076a71ba241a0a4e92db281be2b5962d5d573987acdec20d146e7982e7445f312cdbc46f6572f225874ebb1cca3344c1a184cd38e

Download Submit
memory/1932-15-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download
memory/1932-19-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download
memory/2520-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-22-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/2520-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-42-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-43-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-36-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-51-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-50-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-39-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-40-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-41-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-49-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-48-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-44-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-46-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2764-47-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/2976-31-0x0000000001000000-0x000000000102F000-memory.dmp

Filesize
188KB

Download
memory/2976-0-0x0000000001000000-0x000000000102F000-memory.dmp

Filesize
188KB

Download
memory/2976-29-0x0000000001000000-0x000000000102F000-memory.dmp

Filesize
188KB

Download
memory/2976-30-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads