e38a7a0118d013f822224c96f592d9e29880b206983421f4c37b929b9c0ac65e

General

Target

e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe
Size

3.6MB
MD5

e8363a96714253f74e78afec6eff1be6
SHA1

105299b6a0ff323f40f02dce2c3f601f9d76fa36
SHA256

e38a7a0118d013f822224c96f592d9e29880b206983421f4c37b929b9c0ac65e
SHA512

6961e355c1d0cb73ee442e1a237bb49df58d5df95f8e083b6a58a71256936a1019a3391bc14c4d40f527ed5e7d2b455f8c5985e47c9c54e07359528d8aef103a
SSDEEP

49152:j59RU4zq+svl4W8naLgIZ3OutMeZZW3KYJFWhpoc22URR4231TIQgKO24HYgH1:V9jb6qac43OutMQjMF+VfUh1BgGqYe1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	2.exe_npse.exe
4408	Crypter.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\server.exe	Crypter.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	Crypter.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe
1940	2.exe_npse.exe
4408	Crypter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4408 set thread context of 4284	4408	Crypter.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 1940	3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe	97
PID 3800 wrote to memory of 1940	3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe	97
PID 3800 wrote to memory of 1940	3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe	97
PID 3800 wrote to memory of 4408	3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe	98
PID 3800 wrote to memory of 4408	3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe	98
PID 3800 wrote to memory of 4408	3800	e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe	98
PID 4408 wrote to memory of 4284	4408	Crypter.exe	100
PID 4408 wrote to memory of 4284	4408	Crypter.exe	100
PID 4408 wrote to memory of 4284	4408	Crypter.exe	100

C:\Users\Admin\AppData\Local\Temp\e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8363a96714253f74e78afec6eff1be6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\2.exe_npse.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe_npse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\Crypter.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    C:\Windows\system32\server.exe
    3⤵
    PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5712 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1
1⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5740 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1
1⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4620 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
1⤵
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5152 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1
1⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5512 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1
1⤵
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=4928 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1
1⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=560 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
1⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4692 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
1⤵
PID:3484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d0 0x390
1⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5556 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe_npse.exe

Filesize
773KB

MD5
ce2bc4c6fa32da165f3230a90b8114fc

SHA1
c96d94eaa380756381521e7bc2c266bce3e69eb1

SHA256
4b1e22f8a7997b00db08ccd68e4745066f99948b58ed8e8f655086d4e8fbeb23

SHA512
15e62bf9b67c22d635249a9a76e0f5bed3809437fa813ef201def66441eca690db50f140a3613c5477cd748411134f77167fbd0ffb12d0a34b951ac288a5bcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypter.exe

Filesize
771KB

MD5
5b8aa0115e4ab143a21404cc39123aa6

SHA1
e531b345c4caa3e80446e40ec89fa852a4a4d0b6

SHA256
2fea5986ed0b16475e00420a07ae821fb4a3773b546000cfd48b1e7f5faf4876

SHA512
9050ff2b713491548208382a11641ab4fb93af1dfe1152b073149156a0bfa5ee34beb7df853b5af6376abe2efad78dcd3f9d51d0796ca6a23e9d83b5791ce142

Download Submit
memory/1940-10-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1940-27-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3800-0-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/3800-26-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/4284-24-0x0000000010000000-0x00000000100C3000-memory.dmp

Filesize
780KB

Download
memory/4408-19-0x0000000010000000-0x00000000100C3000-memory.dmp

Filesize
780KB

Download
memory/4408-20-0x0000000010000000-0x00000000100C3000-memory.dmp

Filesize
780KB

Download
memory/4408-18-0x0000000010000000-0x00000000100C3000-memory.dmp

Filesize
780KB

Download
memory/4408-21-0x0000000010000000-0x00000000100C3000-memory.dmp

Filesize
780KB

Download
memory/4408-25-0x0000000010000000-0x00000000100C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing