919494303f059d91e52ec0bb56c9b5c33f46cb479e65bbc560cc4817b6fcc8ee

General

Target

JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
Size

1.2MB
MD5

8acde77f6157d8f53783dfab311370cc
SHA1

6fed2cb5d25332c3a193b6903fe44a45cbd7c1bc
SHA256

919494303f059d91e52ec0bb56c9b5c33f46cb479e65bbc560cc4817b6fcc8ee
SHA512

eb80dbe138d76b4313aa82f3d00312bdd670fc67ec4e14ad6601206b71fb6668b0e7cac31d12c5c369c1ff50fe78e9e96a70f1089938011d1cf1990446519161
SSDEEP

24576:Q+3dwWxKk9+7GefVl9UygEOEpd70wRlsUiXLLNwUaXcXrnXM82p:ZtjeZUDFEMIl0XNw0M82

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	demo.com

Loads dropped DLL 3 IoCs

pid	Process
1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
2052	demo.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	demo.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	demo.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2052	1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe	30
PID 1584 wrote to memory of 2052	1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe	30
PID 1584 wrote to memory of 2052	1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe	30
PID 1584 wrote to memory of 2052	1584	JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe	30
PID 2052 wrote to memory of 2812	2052	demo.com	31
PID 2052 wrote to memory of 2812	2052	demo.com	31
PID 2052 wrote to memory of 2812	2052	demo.com	31
PID 2052 wrote to memory of 2812	2052	demo.com	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8acde77f6157d8f53783dfab311370cc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\demo.com
  C:\Users\Admin\AppData\Local\Temp\demo.com
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\demo.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HDDPhysic.dll

Filesize
58KB

MD5
60ead979318a5effb7774fbcc2f23b50

SHA1
2d6df81c79aa75d771bffea6c9318848cfbe186b

SHA256
b2e5f4756d96c0060364ae70e8d0e52605b6aaeacb8c4b9894ad279e24c3a346

SHA512
4fa9ad0692b6553bf956ee6fff8d6948bef0a2fb1cfc97920f6cdbab6febb1f9070c6d8b03c387d09bdc6868278626f40ca35cd0685decf8a510c071d1582650

Download Submit
C:\Users\Admin\AppData\Local\Temp\demo.bat

Filesize
170B

MD5
f283d0ec5d947ec31fe5bbe78b07c6f8

SHA1
b243495f70100bd3c1641af2b09490d28d3c4c74

SHA256
878c53b547d0e0d54b61549654f6be437e368b3d2313fefa8e9368f92e6c1b6b

SHA512
7c3a967b2ecf6da8be37965b67eecbf7c21dec1dbb54c5f892ce9348c49b28f276e207dd2905fa9dfaa62d04fb6013d7c1c2007efe83b718e94c98c793a0a31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hddinfo.ini

Filesize
40B

MD5
e2b9e501f4b245db43957f5575ab3675

SHA1
540a6d4aac18ff3d16e309ebdae5904e6b953388

SHA256
1c3c7b000c1d220ea16761904df29881e89debb3f660e5a7bf585d64f9222eef

SHA512
a2e3a29d1938edfd6548a4e408ddc551b8931ce2054fd2fa16f3a97a4e76773562d3c2a322d7c731d0427f68ca39ae5decc8746560bd930d1092e18063323ae1

Download Submit
\Users\Admin\AppData\Local\Temp\demo.com

Filesize
162KB

MD5
bc9ae1258b839cb8924e005cc1ee02d1

SHA1
db74d2958f56fd9257462f3c3a887da018d72c0c

SHA256
0a3f9a12400c6854f651a36005b220bbf3584f4217d4374ab58591ae6eaa3d4c

SHA512
c42b5faa9943df8430489ade63307ba1e4a8a04a31c27155e44eafec01109ee8ff101670d3d3fc59fc47f67a250e8cdce3d4d17d25adb585c13e5ea163644a2f

Download Submit
memory/1584-17-0x0000000004B90000-0x0000000004C05000-memory.dmp

Filesize
468KB

Download
memory/1584-53-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-51-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-59-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-0-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-58-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-57-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-56-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1584-55-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-54-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-18-0x0000000004B90000-0x0000000004C05000-memory.dmp

Filesize
468KB

Download
memory/1584-52-0x0000000004B90000-0x0000000004C05000-memory.dmp

Filesize
468KB

Download
memory/1584-1-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1584-44-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1584-45-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-46-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-47-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-48-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-49-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/1584-50-0x0000000000400000-0x000000000108D000-memory.dmp

Filesize
12.6MB

Download
memory/2052-23-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/2052-38-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/2052-39-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2052-40-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2052-37-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2052-26-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2052-25-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2052-24-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2052-20-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads