55c1833817a413db9316e07c374df3019bbc2792f0dff16d964f3109512eaed2

General

Target

9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
Size

1.2MB
MD5

9103ef9b9b1f4cee3d43a4f100d35018
SHA1

fbaa117c22fb1053abe9234107487ac634b82c82
SHA256

55c1833817a413db9316e07c374df3019bbc2792f0dff16d964f3109512eaed2
SHA512

3b83d680e0c83df07622d37e60640f377436839132a6f304c6379542e48de951099a0287e221614680d66a10518a208c0f1b0957b0261c72c44aa33b8dc81698
SSDEEP

24576:nXWcPsTMuyZZGu0bCUbXVLKN1sowy+Hug45tiEXiBwx:mE4MetbZBWTsjbz45KOx

Score

7^/10

aspackv2 bootkit discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000b000000023b64-4.dat	aspack_v212_v242
behavioral2/files/0x000a000000023b68-12.dat	aspack_v212_v242
behavioral2/files/0x000a000000023b6a-16.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe

Loads dropped DLL 11 IoCs

pid	Process
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
316	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 316	4088	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe	82
PID 4088 wrote to memory of 316	4088	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe	82
PID 4088 wrote to memory of 316	4088	9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9103ef9b9b1f4cee3d43a4f100d35018_JaffaCakes118.exe" -1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\812F5E66-0482-4FE3-A83D-7495739DC548\Language.ini

Filesize
9KB

MD5
6ba094067ccabd10f2d16371b482b27e

SHA1
0b181e9fc182bd40d60a37a4b42f5aeef8a05393

SHA256
67317a84467e05bd7bd182d31eac866c743a092d2cfaedacba15e42e948d729a

SHA512
ab9c878dd2a219f9e7aacd9ad1136781d4d298f1014b7c2a41389b563ebda37a65fcc9a1f8aa00f8efef625ba8af322393a7056f310e6d1cd0fb86b17a98a76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\812F5E66-0482-4FE3-A83D-7495739DC548\title.jpg

Filesize
18KB

MD5
d7ec5ff93ffb4d309a4ef1d2152b32a3

SHA1
2b80ef7f5eff6fcdfb1edb52377e3a346c5460ef

SHA256
d87638795c1092a7447714a2e95e81b91825d31c6a0339656e7cecedfc4c22a8

SHA512
55ab3529b03de7b31bd1403f20ac5e4e4bb565c3c4c9523aa98a44f4bd2d73f4373f379d3897bf6e1124941ee9aabcc68d207a9ffe6afa04ee998496caa9bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ED7B915-23BD-452A-B989-E45DD1B0F585.dll

Filesize
384KB

MD5
1ed8bb0300e7646a4d19bb036196cb28

SHA1
4a16c95247c3dd3068b262abc62078ed129c4fe6

SHA256
4f9c5b8b6d8a0fb849877adc904e0d3a0f253bdc62b2fdb1c4119f20ebb87a3c

SHA512
852dfcb1420df570f5c0b444c2a31a341d10f9c27489d1128d179e6ee055c5623a76ec1d061d0e55f0d8aeaf5a4df5ca07d224c69456ea5da120bce82529ddb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B544C0E2-4D3F-4C34-B204-DAA5A02D19BD.dll

Filesize
417KB

MD5
816a0d8fbf1b6693cd49f616559199d9

SHA1
fb808122e27ef6d66bced8ee08143ec15f3b9043

SHA256
318c078af7739fd9f70ce7e9bf2b52a86038b4c6a1e8d7e8a8b5749d44b7e8ab

SHA512
32d1277c235cab3d8c608753452a52a14a922e3ec903b74afa8ea3db8d7460e13e312da4a73ab1c2d222df523b6567c17e95b8ebb631404edabc7e64d7749452

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCF695CC-55A5-40BC-87FB-A4696B9C5448.dll

Filesize
174KB

MD5
6e02945f320d4349958fc6b901739c58

SHA1
3258dcb140855a4b005f63877bf438051fb190d8

SHA256
13a23db70f752fe253252fd37dedc350c746e0f7aaf856ae71f256736c473dc3

SHA512
7e74dff01cf56e8cb664c075fedcca8aeade7ab09cff63252f9e1e1b8b3734a857c97034e4e8925dca3fc7b8a6df925b40923cffd42b23deebd2432d5063e29c

Download Submit
memory/316-34-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/316-121-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/316-18-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/316-150-0x0000000002810000-0x000000000290C000-memory.dmp

Filesize
1008KB

Download
memory/316-33-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/316-2-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/316-140-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/316-8-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/316-122-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/316-123-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/316-124-0x0000000002810000-0x000000000290C000-memory.dmp

Filesize
1008KB

Download
memory/316-137-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/4088-1-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4088-0-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads