d3f2c0f3adfd1ca58a7f11e7b0aa1ab0898eb21f28ece12b124834a32344edc3

General

Target

09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe
Size

6.6MB
MD5

09d059555ae1c33398e1b058233c90f7
SHA1

e8d053cd210918615273005141a8538e93325146
SHA256

d3f2c0f3adfd1ca58a7f11e7b0aa1ab0898eb21f28ece12b124834a32344edc3
SHA512

7220b4c4742b71058ce89e776c32cc9557e662bec1df60efa59c9672a1d52ea55a6acf6835d3b9c665d7d446dea326eb785ab84aa77e5b8241a7ffe759a1f1fd
SSDEEP

196608:jFAz1qvbQy3mL2hK3iN0cCp819vD7Fo4M7rb:pAz1qv/37NA8n7Kvb

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp

Executes dropped EXE 1 IoCs

pid	Process
4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp

Loads dropped DLL 1 IoCs

pid	Process
4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2096	taskkill.exe
4584	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4932	212	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe	85
PID 212 wrote to memory of 4932	212	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe	85
PID 212 wrote to memory of 4932	212	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe	85
PID 4932 wrote to memory of 2096	4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp	88
PID 4932 wrote to memory of 2096	4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp	88
PID 4932 wrote to memory of 2096	4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp	88
PID 4932 wrote to memory of 4584	4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp	91
PID 4932 wrote to memory of 4584	4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp	91
PID 4932 wrote to memory of 4584	4932	09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp	91

C:\Users\Admin\AppData\Local\Temp\09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\is-8IT5B.tmp\09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8IT5B.tmp\09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp" /SL5="$6006E,6498462,212480,C:\Users\Admin\AppData\Local\Temp\09d059555ae1c33398e1b058233c90f7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im d6_9315.exe /t /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im d6_9315_shell.exe /t /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0OV4B.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8IT5B.tmp\09d059555ae1c33398e1b058233c90f7_JaffaCakes118.tmp

Filesize
1.2MB

MD5
185f4ea7b999c85debce0b1d510ac72a

SHA1
b15000cd4d6fb50f9c84590bd53f9b7e5fd71813

SHA256
5e174c337150ae401f1ee7b1fa10389cfcac71bb3097375081e045f7f5fbe3b5

SHA512
b6f5459279d0ed4dedda554b9f6b17b5a437edb5498d9c7dd01788c60e8f444ee58ef1080661130cae42c781c21c7d185d78b8c126b9de856c5c4f28d7452b48

Download Submit
memory/212-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-7-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4932-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4932-20-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads