10de7fcb912db00e42000522e1ce05c54d6e8df01874125314b4b6bf68ce4cb5

General

Target

e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe
Size

2.0MB
MD5

e28ef345a79740d76e2a1cee292e4c75
SHA1

e4aac6062af45f5b03c0642bbd5f31d7cebac6a5
SHA256

10de7fcb912db00e42000522e1ce05c54d6e8df01874125314b4b6bf68ce4cb5
SHA512

c8c2ffc51d4392c1d7b81be9af045cd72ef40bab2bb3e343ad38cf0ad4dfe576075f13b3c9404ec887e4ecc46f2dc30e8387eadc5ec317a8af7a7e86ada33b0b
SSDEEP

49152:rG9cVgsLdtm9Ul9k9VnUmuzs9m4r3Mz2VvYbeEoKXXfPPlWE5:rwMgtUl9UAOhEoYXfnlWE5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exeh909z96f0636opj.exe22139ip06107dpv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	h909z96f0636opj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	22139ip06107dpv.exe

Executes dropped EXE 3 IoCs

Processes:

h909z96f0636opj.exe22139ip06107dpv.exeProtector-eksn.exe

pid process

2072 h909z96f0636opj.exe
1176 22139ip06107dpv.exe
4696 Protector-eksn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2072	h909z96f0636opj.exe
1176	22139ip06107dpv.exe
4696	Protector-eksn.exe

Modifies registry class 40 IoCs

Processes:

22139ip06107dpv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\win32\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Version\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\InprocServer32\ = "%systemroot%\\SysWow64\\mstscax.dll"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\ = "Microsoft Speech Object Library"	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\VersionIndependentProgID	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\VersionIndependentProgID\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\MiscStatus	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Programmable\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\FLAGS	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\FLAGS\ = "0"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\TypeLib\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Version	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\InprocServer32	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\ProgID\ = "MsRDP.MsRDP.3"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\win32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\win64\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Control\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\ProgID\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\ = "Owavi object"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\MiscStatus\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\win64	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\TypeLib\ = "{BDA63175-F8E8-9115-6F5C-E2990EBB565B}"	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\InprocServer32\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\win32	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\FLAGS\	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\TypeLib	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Version\ = "1.0"	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\ProgID	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Programmable	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDA63175-F8E8-9115-6F5C-E2990EBB565B}\5.4\0\win64\	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\VersionIndependentProgID\ = "MsRDP.MsRDP"	22139ip06107dpv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\Control	22139ip06107dpv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{377F1496-8DAA-4E2E-B391-E0A0DDCFFF07}\MiscStatus\ = "0"	22139ip06107dpv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

22139ip06107dpv.exeProtector-eksn.exe

description	pid	process
Token: SeDebugPrivilege	1176	22139ip06107dpv.exe
Token: SeShutdownPrivilege	1176	22139ip06107dpv.exe
Token: SeDebugPrivilege	4696	Protector-eksn.exe
Token: SeShutdownPrivilege	4696	Protector-eksn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

22139ip06107dpv.exeProtector-eksn.exe

pid process

1176 22139ip06107dpv.exe
4696 Protector-eksn.exe

pid	process
1176	22139ip06107dpv.exe
4696	Protector-eksn.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exeh909z96f0636opj.exe22139ip06107dpv.exe

description	pid	process	target process
PID 2128 wrote to memory of 2072	2128	e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe	h909z96f0636opj.exe
PID 2128 wrote to memory of 2072	2128	e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe	h909z96f0636opj.exe
PID 2128 wrote to memory of 2072	2128	e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe	h909z96f0636opj.exe
PID 2072 wrote to memory of 1176	2072	h909z96f0636opj.exe	22139ip06107dpv.exe
PID 2072 wrote to memory of 1176	2072	h909z96f0636opj.exe	22139ip06107dpv.exe
PID 2072 wrote to memory of 1176	2072	h909z96f0636opj.exe	22139ip06107dpv.exe
PID 1176 wrote to memory of 4696	1176	22139ip06107dpv.exe	Protector-eksn.exe
PID 1176 wrote to memory of 4696	1176	22139ip06107dpv.exe	Protector-eksn.exe
PID 1176 wrote to memory of 4696	1176	22139ip06107dpv.exe	Protector-eksn.exe
PID 1176 wrote to memory of 5116	1176	22139ip06107dpv.exe	cmd.exe
PID 1176 wrote to memory of 5116	1176	22139ip06107dpv.exe	cmd.exe
PID 1176 wrote to memory of 5116	1176	22139ip06107dpv.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e28ef345a79740d76e2a1cee292e4c75_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\RarSFX0\h909z96f0636opj.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\h909z96f0636opj.exe" -e -ps7ile3bq92650zj
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\RarSFX1\22139ip06107dpv.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\22139ip06107dpv.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Protector-eksn.exe
C:\Users\Admin\AppData\Roaming\Protector-eksn.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\22139I~1.EXE" >> NUL
4⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\h909z96f0636opj.exe
Filesize
1.9MB

MD5
a52857b4dad31854cc791524713b5f70

SHA1
d7326cd1e4c155d7dd10055952c2fa3702fcd91d

SHA256
b8dbc9c3e64b7b8024340441c380371740bdd87812c6828b76a686be9824e65c

SHA512
15d6d6f9c6e0efe31ac520622ea717b974876cc1401ea152afee4707f3fb7b60860d6a522e3ff0927bdba1e79407a2ab75a3faf5a88a1b20dd21377998d3781b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\22139ip06107dpv.exe
Filesize
1.9MB

MD5
5ecce49f7de9af90b9a26c276809f504

SHA1
f93ed10de32b844c9ee86a53c503419e14e25ed2

SHA256
eb579aa9b6523ba7db0fe6f7496523fce227b233929be0ad3c1acd0646a1754c

SHA512
f419a507d39e3c9cd6a984b6fa6450ffd6fd5de8b72221d2640cca10ef9a14d04509c53eb31b5e1aae6a984ae8df464cbd45f1f6b8b2ca55478628876c9265ba

Download Submit
memory/1176-35-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1176-23-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1176-36-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1176-24-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1176-25-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1176-26-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1176-27-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1176-28-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1176-29-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1176-30-0x00000000034F0000-0x00000000034F3000-memory.dmp

Filesize
12KB

Download
memory/1176-31-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1176-32-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/1176-33-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1176-34-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1176-21-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1176-22-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/1176-37-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/1176-38-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1176-39-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1176-51-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1176-53-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/4696-46-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4696-47-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4696-48-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4696-50-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/4696-49-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/4696-54-0x00000000023B0000-0x000000000240A000-memory.dmp

Filesize
360KB

Download
memory/4696-45-0x00000000023B0000-0x000000000240A000-memory.dmp

Filesize
360KB

Download
memory/4696-44-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4696-52-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads