f5e03c01478ea2c3599be47fd10492651ec0b8fce41ce5cb02f9acb88aa71e1b

General

Target

52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe
Size

110KB
MD5

52996a3127163f873d0c636dbf3f9b18
SHA1

72bc4fa68521a3280c8b14207f950c3ce9c42e3a
SHA256

f5e03c01478ea2c3599be47fd10492651ec0b8fce41ce5cb02f9acb88aa71e1b
SHA512

be58662efdccff6b896130e7c6899e5f40b416ca8e39a5e9cd533428e4faee30069ecc3bb1462f0682a389708e9deaabb23ccc964cd812c22203bcbc55d43ddb
SSDEEP

1536:SFzamKJ/9x9LUGwZt0Ej5+k7uArgqXxwqxzLRsvr2DW44Rjq4v9lWyiKY7tZ26w+:S9amc9x9gr0xkXxz1svKDL4R1qpQ2U3

Score

7^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	avp.exe

Loads dropped DLL 1 IoCs

pid	Process
856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\od3mdi.dll	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dElplme.bat	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2900	856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe	32
PID 856 wrote to memory of 2900	856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe	32
PID 856 wrote to memory of 2900	856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe	32
PID 856 wrote to memory of 2900	856	52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52996a3127163f873d0c636dbf3f9b18_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delplme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2900

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dElplme.bat

Filesize
306B

MD5
33a074fea862f4a620bde29a305e0f0d

SHA1
e59af972119de138d8f2bc9b355bb202f19c3a97

SHA256
96ca9a452eb4a734e6abca2b7da56f61f391ed28d1a5559bc85a61ed29cf09ff

SHA512
6bbff8fa613722010f39c9c3b521dc93e0ca43db1dd157c662c2303b91e69e338568917213da5db0a8446e1823ce5a524dd13291e521e5077dbc815c0efdd3eb

Download Submit
C:\Windows\avp.exe

Filesize
18KB

MD5
1c005db3de9c9adc32f4e74dbc278dac

SHA1
d0711580dcd2eaf24329ef9e08f06971c0cbd16a

SHA256
611e13801520f05f2aaf4387e9c77dd38133cb3ca5d45d3d8dad06432c87341e

SHA512
24e34f8caf205dfc619b4af2e92cf2f233e6c4f303b926a2bbcc5d071f124ce8ca3afe969aec4cba260b209745c39d5968ee420ee29e017ecbd0e274046e363f

Download Submit
\Windows\SysWOW64\od3mdi.dll

Filesize
238KB

MD5
93c75be57b0d7b0ddfb72a87eca94631

SHA1
5db66fd54bcc8541d9398b2c0e631d42e28c7669

SHA256
650bbd920701bcb32a135fc4ef0b7fec510c1771fca44f773afd534d19b31e07

SHA512
f2e8b9346263b2b82c02ca87f8ff702802e5956adbf8070ebeab734772916465294fd5ffe2ebd2c345b01db3cbd4ef8dbc10381e17c49526363044f9459d7310

Download Submit
memory/856-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/856-3-0x00000000002C0000-0x0000000000308000-memory.dmp

Filesize
288KB

Download
memory/856-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2772-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads