fc076806fcdadff211dd630b9ae8738636d18089fe3044c1e2539483170938f2

General

Target

04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe
Size

800KB
MD5

04d4f7bef715293305f3c142b8580fb0
SHA1

8e613f82bcc7b3cf5fdc05f9646a3204c07ab6d0
SHA256

fc076806fcdadff211dd630b9ae8738636d18089fe3044c1e2539483170938f2
SHA512

3b6fd78d994d7655ee77d3a5a2addcc5e62c7e0aa0caf3e9f79ce84af84819d47d7070195795bb6f0c97083cf9ab88f2e177a36f8b8aaccd181fa125e09b6451
SSDEEP

12288:ukw1kY6paioS6ZuBMvChOUw2Jmdyhm1z+6kcaOXZQeS4c3sXk2yysSj:TQkYmAzuw26+c+5bWQeS4hk2yFSj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
35	744	WScript.exe
39	744	WScript.exe
41	744	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Ingannaste.exe.com

Executes dropped EXE 3 IoCs

pid	Process
5116	Ingannaste.exe.com
4880	Ingannaste.exe.com
4896	Ingannaste.exe.com

Loads dropped DLL 1 IoCs

pid	Process
1452	04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	iplogger.org
35	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 4896	4880	Ingannaste.exe.com	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ingannaste.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ingannaste.exe.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	Ingannaste.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3912	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5116	Ingannaste.exe.com
5116	Ingannaste.exe.com
5116	Ingannaste.exe.com
4880	Ingannaste.exe.com
4880	Ingannaste.exe.com
4880	Ingannaste.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
5116	Ingannaste.exe.com
5116	Ingannaste.exe.com
5116	Ingannaste.exe.com
4880	Ingannaste.exe.com
4880	Ingannaste.exe.com
4880	Ingannaste.exe.com

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1376	1452	04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe	83
PID 1452 wrote to memory of 1376	1452	04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe	83
PID 1452 wrote to memory of 1376	1452	04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe	83
PID 1376 wrote to memory of 1252	1376	cmd.exe	85
PID 1376 wrote to memory of 1252	1376	cmd.exe	85
PID 1376 wrote to memory of 1252	1376	cmd.exe	85
PID 1252 wrote to memory of 5040	1252	cmd.exe	86
PID 1252 wrote to memory of 5040	1252	cmd.exe	86
PID 1252 wrote to memory of 5040	1252	cmd.exe	86
PID 1252 wrote to memory of 5116	1252	cmd.exe	87
PID 1252 wrote to memory of 5116	1252	cmd.exe	87
PID 1252 wrote to memory of 5116	1252	cmd.exe	87
PID 1252 wrote to memory of 3912	1252	cmd.exe	88
PID 1252 wrote to memory of 3912	1252	cmd.exe	88
PID 1252 wrote to memory of 3912	1252	cmd.exe	88
PID 5116 wrote to memory of 4880	5116	Ingannaste.exe.com	89
PID 5116 wrote to memory of 4880	5116	Ingannaste.exe.com	89
PID 5116 wrote to memory of 4880	5116	Ingannaste.exe.com	89
PID 4880 wrote to memory of 4896	4880	Ingannaste.exe.com	92
PID 4880 wrote to memory of 4896	4880	Ingannaste.exe.com	92
PID 4880 wrote to memory of 4896	4880	Ingannaste.exe.com	92
PID 4880 wrote to memory of 4896	4880	Ingannaste.exe.com	92
PID 4880 wrote to memory of 4896	4880	Ingannaste.exe.com	92
PID 4896 wrote to memory of 744	4896	Ingannaste.exe.com	99
PID 4896 wrote to memory of 744	4896	Ingannaste.exe.com	99
PID 4896 wrote to memory of 744	4896	Ingannaste.exe.com	99

C:\Users\Admin\AppData\Local\Temp\04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d4f7bef715293305f3c142b8580fb0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c cmd < Accompagna.eps
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^HNwvPIFsdWPBGPDIJFlOGWdgktomgKtXFXBbmwgnSfBHXtFAbBDjhrPKbMkLAyeGSSVIgupHdMWscIsunHeMuRJBoQZMQDYNjUPtpWjdaVWBi$" Osi.eps
      4⤵
      PID:5040
  - - C:\Users\Admin\AppData\Roaming\Ingannaste.exe.com
      Ingannaste.exe.com m
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Users\Admin\AppData\Roaming\Ingannaste.exe.com
        
        C:\Users\Admin\AppData\Roaming\Ingannaste.exe.com m
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Users\Admin\AppData\Roaming\Ingannaste.exe.com
        
        C:\Users\Admin\AppData\Roaming\Ingannaste.exe.com
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qtabtol.vbs"
        7⤵
        Blocklisted process makes network request
        
        PID:744
  - - C:\Windows\SysWOW64\PING.EXE
      ping GAWKBMOT
      4⤵
      Runs ping.exe
      PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9B28.tmp

Filesize
302B

MD5
9324d88d2390aab234065f3e63f514fb

SHA1
52ea620935c14d26016588d35e5b0b7936b89d82

SHA256
29ebdf1aadbf13cc5444a848649d92c8d2696d5cf406796b316c9b518bc424ec

SHA512
e6ca38b5c8900e8fb337b41d0f9563260e8966b89c97ee28285550d21f14ffd1cec2a28b17fb7e572d2a978af20fc3fc8e4779857759c8f63a1139c19f5b461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb49BC.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtabtol.vbs

Filesize
136B

MD5
01aaf72a9ea9128576043d705ac7077c

SHA1
117a6cd74ceb1f44c3126e81d3ce25db92250d65

SHA256
8c19ee1a15ea97f24045e337b35dba49ea2cc607f3d512501e91bb022f79d18d

SHA512
fdd2fcaae0e72dcc144c0a79ff9e59d2a377fa23d2211dbbb12a656caa8dbc119aa27c52211fdcb5ea97583deb470d7ba736ffe12016d05cfc1ee7a8ca752e77

Download Submit
C:\Users\Admin\AppData\Roaming\Accompagna.eps

Filesize
505B

MD5
1c1492d685731c098926ed400ecbf718

SHA1
e37040ba07e313c7db4b5147a66779227fb34d93

SHA256
a0d462824322bde608db6b92f72d914d27cfcdb83716efeb66f8816bfcb7efcd

SHA512
14070b0d2e3d5c460864cb34161082581416860d4666ee16e3961a0b0e14ba5e70afccc5ca27d31fbb0a9093f22581d32b4b156a612859001918ca3ebd9dc19a

Download Submit
C:\Users\Admin\AppData\Roaming\Eravate.eps

Filesize
932KB

MD5
4e63e14a1a0e110450ad93a9cd08f269

SHA1
69ef8982145d99f52f13563147fdaa387d5fa10c

SHA256
0e9926422d584c97cc70c83a395eb20af79c1a485edeb44e564ba7a26cdd5bf2

SHA512
3445311db82ce461c810e570a9e4b00f11c6a0fa508ed4bbf9f89369132740ce43f828fa4f7917ac764e683aed5b89db3989cfdd552b0f1b2038f2540204fae3

Download Submit
C:\Users\Admin\AppData\Roaming\Ingannaste.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Osi.eps

Filesize
872KB

MD5
cfe7a33fd6a2e271b311a32a500da0d0

SHA1
2b5b2aa99e983c7a655c185080e8262a2f38f600

SHA256
285a500bbee93867ce01ba4c43c60682586fde30653928e1a888013593880211

SHA512
89475b2a8e4e4b9c9370250f55424c30257794ac66a870c28a67c88086801512852c7dad123e7df7804d88481b0cc571fc6d0ffe7e153283beac2e3c2fcfd367

Download Submit
memory/4896-23-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/4896-26-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads