fd1a29e7647eae37750ec24af3325045d00e43df1ce070510d86a86ff8f92484

General

Target

b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe
Size

1.6MB
MD5

b4f54911fd477012fdabf5ef7efaa945
SHA1

0f6beea50dd6a26313ad06f7f077c0fd48a40c4f
SHA256

fd1a29e7647eae37750ec24af3325045d00e43df1ce070510d86a86ff8f92484
SHA512

c8deb4448a4aeecd804192575edac912cb844be863fed5f62e14e7f5f0c90c7f47886e022113ced53b408413a5fbede4b51e7b422dc993819dfa5012d908ecae
SSDEEP

24576:oX9xZP8h7sbnOXfHfcrlwulWg5R7jdcgQ17uIjjy2lrV/7kaRBpEDW:4EhqMwGufDcgQkIiYZj3RPuW

Score

7^/10

bootkit discovery persistence vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3224	eGdpSvc.exe
976	eGdpSvc.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2472-0-0x0000000000960000-0x0000000000CDD000-memory.dmp	vmprotect
behavioral2/memory/2472-2-0x0000000000960000-0x0000000000CDD000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023c8b-8.dat	vmprotect
behavioral2/memory/3224-15-0x00000000006F0000-0x0000000000A6D000-memory.dmp	vmprotect
behavioral2/memory/2472-14-0x0000000000960000-0x0000000000CDD000-memory.dmp	vmprotect
behavioral2/memory/3224-17-0x00000000006F0000-0x0000000000A6D000-memory.dmp	vmprotect
behavioral2/memory/3224-19-0x00000000006F0000-0x0000000000A6D000-memory.dmp	vmprotect
behavioral2/memory/976-24-0x00000000006F0000-0x0000000000A6D000-memory.dmp	vmprotect
behavioral2/memory/3224-40-0x00000000006F0000-0x0000000000A6D000-memory.dmp	vmprotect
behavioral2/memory/976-41-0x00000000006F0000-0x0000000000A6D000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	eGdpSvc.exe
File opened for modification	\??\PhysicalDrive0	eGdpSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eGdpSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eGdpSvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	eGdpSvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3224	eGdpSvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 3224	2472	b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe	83
PID 2472 wrote to memory of 3224	2472	b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe	83
PID 2472 wrote to memory of 3224	2472	b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f54911fd477012fdabf5ef7efaa945_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\ProgramData\eSafe\eGdpSvc.exe
  "C:\ProgramData\eSafe\eGdpSvc.exe" -run
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3224

C:\ProgramData\eSafe\eGdpSvc.exe
C:\ProgramData\eSafe\eGdpSvc.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eSafe\eGdpSvc.exe

Filesize
1.6MB

MD5
b4f54911fd477012fdabf5ef7efaa945

SHA1
0f6beea50dd6a26313ad06f7f077c0fd48a40c4f

SHA256
fd1a29e7647eae37750ec24af3325045d00e43df1ce070510d86a86ff8f92484

SHA512
c8deb4448a4aeecd804192575edac912cb844be863fed5f62e14e7f5f0c90c7f47886e022113ced53b408413a5fbede4b51e7b422dc993819dfa5012d908ecae

Download Submit
C:\ProgramData\eSafe\log\eGdpSvc.LOG

Filesize
636B

MD5
2eba47866976473e84f65a691e9cd0a7

SHA1
6b382e8c6c2dd46f9bbd236c9a7745eb396f5ce1

SHA256
92164a767a1f9f99a0a229d24d1e36b53e20e4147a1648ca3242422882ed1a00

SHA512
1c938a863f129266a559c5dcb60ea3b02e7afabe449a1787d30029f7da8ffce3f37d4a7d3792f41111feeaddbd2de994c34f39cbacc5c5cb405b6245dfd2c9d0

Download Submit
C:\ProgramData\eSafe\log\eGdpSvc.LOG

Filesize
982B

MD5
e1a4ec6b676b7f8b0e7f079cb134450e

SHA1
ed140a4db9d3c0c7e0059b3742f174eeb81b60c8

SHA256
a9db32018533cb26056bbbb1d96153d3cdfeb550d853475233f45eb5cf13b4f0

SHA512
b12aab13ad016d39ad8304d3b127b56234b612af026ea6b5bb7ca00853b0778d768f403c012b5f76e2a02f9fa7f07097636d9e30d0402fb56db4136a98ef3088

Download Submit
C:\ProgramData\eSafe\log\eGdpSvc.LOG

Filesize
1KB

MD5
d910ecdd162140cd078101bd94478270

SHA1
67e06b42d041068ab7650206be52325ddf24bdd6

SHA256
f4876f11e9014ce100d44ee5ac85d668840e32f3958bb66e502520da99fd5f41

SHA512
89fca784795188c65a6f5225e5da7cc77e33c665c899e3b129dfa07352ca6b358d3d2c3fcb670a714eaab6c3fca43428278074ffd8b1e461d13691e0750cb704

Download Submit
C:\ProgramData\eSafe\log\eGdpSvc.LOG

Filesize
1KB

MD5
c78abc3ef1aa45f0061df8a8bab68d14

SHA1
a1845106566c7fdc4a538aab213fabefd16e377a

SHA256
08845f667e26158614e2d07910511b25d913f754663fe7775639242b0e2d0c7a

SHA512
ac2c65d5cf0408fcb607b4254951b92cea88920a2dff16918aebe94fde6c62dc4fe0889987e0ea8c38045fddce9f57312197f41361228d3aa43387fe0349e045

Download Submit
memory/976-24-0x00000000006F0000-0x0000000000A6D000-memory.dmp

Filesize
3.5MB

Download
memory/976-41-0x00000000006F0000-0x0000000000A6D000-memory.dmp

Filesize
3.5MB

Download
memory/2472-2-0x0000000000960000-0x0000000000CDD000-memory.dmp

Filesize
3.5MB

Download
memory/2472-0-0x0000000000960000-0x0000000000CDD000-memory.dmp

Filesize
3.5MB

Download
memory/2472-14-0x0000000000960000-0x0000000000CDD000-memory.dmp

Filesize
3.5MB

Download
memory/2472-1-0x0000000000961000-0x000000000099C000-memory.dmp

Filesize
236KB

Download
memory/3224-17-0x00000000006F0000-0x0000000000A6D000-memory.dmp

Filesize
3.5MB

Download
memory/3224-19-0x00000000006F0000-0x0000000000A6D000-memory.dmp

Filesize
3.5MB

Download
memory/3224-15-0x00000000006F0000-0x0000000000A6D000-memory.dmp

Filesize
3.5MB

Download
memory/3224-40-0x00000000006F0000-0x0000000000A6D000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads