40b8c88a2bd6a10bb20d43efcc1d9e9c7a2ae7aa16bb72bc5a89a71076ba46ff

General

Target

e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
Size

1000KB
MD5

e980c31b58b67d1974c265d452b41b1d
SHA1

79e3481a92d8d7262fd525fa35673b84454a0471
SHA256

40b8c88a2bd6a10bb20d43efcc1d9e9c7a2ae7aa16bb72bc5a89a71076ba46ff
SHA512

8588e6b33c53267a76468dcb21dc2e8fef2a1afdcb44a30c2d45c2c9a9d53ed1e303330161c2d5743f5a172aca1186cc8cd7dee62dd0b4d1e3bd7bec4b15c789
SSDEEP

24576:LwIjc//////YhXrZb+qbz81Fkkv5fx/ClxRJ8r627CzO6kdlVE:8Sc//////YhXrt+qFiDwFU7CpklVE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3908	ScrBlaze.scr
3464	ScrBlaze.scr

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ScreenBlazeUpgrader.bat	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File created	C:\Windows\ScrBlaze.scr	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File opened for modification	C:\Windows\ScrBlaze.scr	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File opened for modification	C:\Windows\ScreenBlaze.exe	ScrBlaze.scr
File opened for modification	C:\Windows\ScreenBlazeUpgrader.bat	ScrBlaze.scr
File opened for modification	C:\Windows\ScreenBlaze.exe	ScrBlaze.scr
File opened for modification	C:\Windows\ScreenBlazeUpgrader.bat	ScrBlaze.scr
File created	C:\Windows\ScreenBlaze.exe	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
3908	ScrBlaze.scr
3908	ScrBlaze.scr
3464	ScrBlaze.scr
3464	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
3908	ScrBlaze.scr
3908	ScrBlaze.scr
3464	ScrBlaze.scr
3464	ScrBlaze.scr

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1728	1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	88
PID 1592 wrote to memory of 1728	1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	88
PID 1592 wrote to memory of 1728	1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	88
PID 1592 wrote to memory of 3908	1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	94
PID 1592 wrote to memory of 3908	1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	94
PID 1592 wrote to memory of 3908	1592	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	94
PID 3908 wrote to memory of 2288	3908	ScrBlaze.scr	96
PID 3908 wrote to memory of 2288	3908	ScrBlaze.scr	96
PID 3908 wrote to memory of 2288	3908	ScrBlaze.scr	96
PID 3464 wrote to memory of 1416	3464	ScrBlaze.scr	102
PID 3464 wrote to memory of 1416	3464	ScrBlaze.scr	102
PID 3464 wrote to memory of 1416	3464	ScrBlaze.scr	102

C:\Users\Admin\AppData\Local\Temp\e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\ScreenBlazeUpgrader.bat
  2⤵
  PID:1728
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\ScreenBlazeUpgrader.bat
    3⤵
    PID:2288

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\ScreenBlazeUpgrader.bat
  2⤵
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ScrBlaze.scr

Filesize
1000KB

MD5
e980c31b58b67d1974c265d452b41b1d

SHA1
79e3481a92d8d7262fd525fa35673b84454a0471

SHA256
40b8c88a2bd6a10bb20d43efcc1d9e9c7a2ae7aa16bb72bc5a89a71076ba46ff

SHA512
8588e6b33c53267a76468dcb21dc2e8fef2a1afdcb44a30c2d45c2c9a9d53ed1e303330161c2d5743f5a172aca1186cc8cd7dee62dd0b4d1e3bd7bec4b15c789

Download Submit
C:\Windows\ScreenBlazeUpgrader.bat

Filesize
251B

MD5
1b6947de66aa77bb45467cbf8a954d57

SHA1
150df7d37acda9be67f356366ebe5c86f4e2e736

SHA256
8cb979326e5abd04737cee99e2e116567d9da9ef45b5b2008cb47ed3bc1f5e91

SHA512
4af58804e62e7b97c7ee5fada4cbdf40d7c88b3696c2f15f1d50cee33fb34543f6425eb9e52cfbb2720f6798ca5dae2ed11f2427e6ece03c59fdf3d336dbbd70

Download Submit
C:\Windows\ScreenBlazeUpgrader.bat

Filesize
495B

MD5
34de790f23b844eeb353591c54f7fcfb

SHA1
1fba489a1df0caed474f0bf983b5551129335993

SHA256
b76c214f45511c48192e2303a3c86e0a393103dfd21b46d8514d432bc020f825

SHA512
01dd1108509ba287dabf90530c85b5ffb3bbf80fbbe0e97385b2270acc1c06828f5c8e752b017dc92d4bd784bd1659077f562682883417637019a3a5ea8686f9

Download Submit
memory/1592-0-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1592-32-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1592-35-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3464-59-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3464-70-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3464-67-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3908-12-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3908-38-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3908-33-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing