038848c7258f264b13b63e1f38aa3e030280e164a0f334310ec93911b42d6043

General

Target

f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe
Size

15.9MB
MD5

f230cfecab281c9040bb9f5443a4fc79
SHA1

c0c67a19a987da7d8c21c5dd4b98145e763afd5e
SHA256

038848c7258f264b13b63e1f38aa3e030280e164a0f334310ec93911b42d6043
SHA512

c3b90e57e954f904efb7b7bf98622445ce118e1a639dbd29fba1fb36367429e1f8c7e0fc2ef7b148812ce3674a2499341ae0b2471e344dd3d1232fc9103301a0
SSDEEP

393216:ig7usg7usg7usg7usg7usg7usg7usg7uN:fSRSRSRSRSRSRSRSN

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2024	7D57AD13E21.exe
4632	Scegli_nome_allegato.exe
4384	7D57AD13E21.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 4384	2024	7D57AD13E21.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\IESettingSync	Scegli_nome_allegato.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Scegli_nome_allegato.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Scegli_nome_allegato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Scegli_nome_allegato.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4500	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4632	Scegli_nome_allegato.exe
4632	Scegli_nome_allegato.exe
4632	Scegli_nome_allegato.exe
4384	7D57AD13E21.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4500	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	90
PID 4468 wrote to memory of 4500	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	90
PID 4468 wrote to memory of 4500	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	90
PID 4468 wrote to memory of 2024	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	92
PID 4468 wrote to memory of 2024	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	92
PID 4468 wrote to memory of 2024	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	92
PID 4468 wrote to memory of 4632	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	93
PID 4468 wrote to memory of 4632	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	93
PID 4468 wrote to memory of 4632	4468	f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe	93
PID 2024 wrote to memory of 4384	2024	7D57AD13E21.exe	96
PID 2024 wrote to memory of 4384	2024	7D57AD13E21.exe	96
PID 2024 wrote to memory of 4384	2024	7D57AD13E21.exe	96
PID 2024 wrote to memory of 4384	2024	7D57AD13E21.exe	96
PID 2024 wrote to memory of 4384	2024	7D57AD13E21.exe	96

C:\Users\Admin\AppData\Local\Temp\f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f230cfecab281c9040bb9f5443a4fc79_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4500
- C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
  "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4384
- C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
  "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
15.9MB

MD5
2e60c76e64b42e5a8aa3b62e2579ff11

SHA1
6bfd070ced04e4a512d32d9ad54aa9b79011d6e1

SHA256
cee1bc5e51e1ed646fb477818558f53cfb268ffa2efad68448ba571b5712268b

SHA512
e40c7ba2c9136267dae9f8188389f4abeb502d7fd11600327a7ffd32edf3383e9c60f73fe1766f6b2a3a6a31a51eadccd1c83a5d894e9e78a57c2f1f65cab7b4

Download Submit
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
memory/2024-34-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2024-29-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2024-12-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4384-41-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4384-44-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4384-38-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4384-31-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4384-33-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4384-35-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4384-39-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4468-24-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4468-11-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4468-0-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4468-1-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4632-30-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4632-37-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/4632-28-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4632-25-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads