ff6a191388c63a0eba933c1d247db4b07f905728c0204d2f58bdff965c4377f1

General

Target

edc611f836805766cb477277e6503215_JaffaCakes118.exe
Size

4.3MB
MD5

edc611f836805766cb477277e6503215
SHA1

cdb18269fc7201b8b983578249878e4711730452
SHA256

ff6a191388c63a0eba933c1d247db4b07f905728c0204d2f58bdff965c4377f1
SHA512

bbcf04d1ee280d0501d80ab29ddb83c59e8d8f929246beed05495ee72cdcd0d9b2febc5d03188faeb96fa84fec958e9a86ec3a8146d9dbe33bda76697806f3aa
SSDEEP

49152:40rWePspAsProkyNs+hYwzdnAyo8DGLr30bo6hCDB2xECTZCtZEDUJ5KMJqb:ZXmNzokyFhY8May30cHDB2xbZcZ5XK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	edc611f836805766cb477277e6503215_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	Horrible Husband Marnie Hewey.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	Horrible Husband Marnie Hewey.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	Horrible Husband Marnie Hewey.exe
2632	Horrible Husband Marnie Hewey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3216	PING.EXE
1380	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe
5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe
2632	Horrible Husband Marnie Hewey.exe
2632	Horrible Husband Marnie Hewey.exe
2632	Horrible Husband Marnie Hewey.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe
Token: SeDebugPrivilege	2632	Horrible Husband Marnie Hewey.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2632	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe	87
PID 5060 wrote to memory of 2632	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe	87
PID 5060 wrote to memory of 2632	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe	87
PID 5060 wrote to memory of 4584	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe	88
PID 5060 wrote to memory of 4584	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe	88
PID 5060 wrote to memory of 4584	5060	edc611f836805766cb477277e6503215_JaffaCakes118.exe	88
PID 4584 wrote to memory of 3216	4584	cmd.exe	91
PID 4584 wrote to memory of 3216	4584	cmd.exe	91
PID 4584 wrote to memory of 3216	4584	cmd.exe	91
PID 2632 wrote to memory of 4636	2632	Horrible Husband Marnie Hewey.exe	95
PID 2632 wrote to memory of 4636	2632	Horrible Husband Marnie Hewey.exe	95
PID 2632 wrote to memory of 4636	2632	Horrible Husband Marnie Hewey.exe	95
PID 4636 wrote to memory of 1380	4636	cmd.exe	97
PID 4636 wrote to memory of 1380	4636	cmd.exe	97
PID 4636 wrote to memory of 1380	4636	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\Horrible Husband Marnie Hewey.exe
  "C:\Users\Admin\AppData\Local\Temp\Horrible Husband Marnie Hewey.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\Horrible Husband Marnie Hewey.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:1380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bunifu_UI_v1.5.4.dll

Filesize
207KB

MD5
cfddb85e01988231beb3db5d60bb7511

SHA1
dc36c0461c725008c6c8341bfaf8c4ea63d94df3

SHA256
b3f783c4aceb2609ced9dd79226d7813b5be23a9b2cf4fc79b550dbfc52f9975

SHA512
5e33cc51217e5948d2969a7e1b11f3672d26a3b47c6867c843fdb4de930e6637d00ce05825947defc42242f7a2ae64e904a55472621082085ab4e3261e4525df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Horrible Husband Marnie Hewey.exe

Filesize
4.3MB

MD5
8a524269c0f48d033d9710b9699b17a9

SHA1
8c6a90e9c73fece5791e8bf3125a58e8bd41ba0e

SHA256
4efed10ec0a6641aa89239b48b4e1cb3c7a2b69ad451cd461ed6a4a1bcdaca36

SHA512
c165be12bb86ccdfb9f4c59d4136bfbb5d334667497129bd79088a24452a4f888fd7a5d278b322669e2a7e24634ad200a2323ca2a089c5a723410a346f962a7b

Download Submit
memory/2632-34-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/2632-32-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/2632-31-0x000000000A3F0000-0x000000000A42A000-memory.dmp

Filesize
232KB

Download
memory/2632-27-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/2632-26-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/2632-23-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/2632-24-0x0000000000DA0000-0x00000000011F2000-memory.dmp

Filesize
4.3MB

Download
memory/5060-8-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/5060-0-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/5060-7-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/5060-25-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/5060-6-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/5060-5-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/5060-4-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/5060-3-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/5060-2-0x0000000007260000-0x00000000076EE000-memory.dmp

Filesize
4.6MB

Download
memory/5060-1-0x0000000000A80000-0x0000000000ED2000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing