9fcfbb8851003bd433b7d81f8ae3d56dd0a81dd5a8607bca7d74d88756bd15ea

General

Target

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
Size

36KB
MD5

fbc3f0e790aafbd7f5bf39e28317d6ef
SHA1

f6ff9912af01302261fa7dfb98f71a85df5074ed
SHA256

9fcfbb8851003bd433b7d81f8ae3d56dd0a81dd5a8607bca7d74d88756bd15ea
SHA512

a4b0e08e6200d50653fefd4e87058734f76c4bcd40a71621712d0c6c59f2d514cd06428541f7363b0abeee51b4db5ce798888ab5d42ea82da66f024ce83e6382
SSDEEP

768:vtFUkLj9F+J4pE+GtOlfSmC5znWOjgJASvfUbP/PF7S:lF5LjfI4pE+/fSHznvgGYfUjF7S

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	device.exe

Executes dropped EXE 3 IoCs

Processes:

device.exepart.exesysdevice.exe

pid process

2340 device.exe
4716 part.exe
380 sysdevice.exe

pid	process
2340	device.exe
4716	part.exe
380	sysdevice.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\device.exe	upx
behavioral2/memory/2340-7-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2340-17-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 18 IoCs

Processes:

sysdevice.exepart.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File opened for modification	C:\Windows\SysWOW64\sysdevice.exe	part.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe	part.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3772 380 WerFault.exe sysdevice.exe
2696 380 WerFault.exe sysdevice.exe

pid	pid_target	process	target process
3772	380	WerFault.exe	sysdevice.exe
2696	380	WerFault.exe	sysdevice.exe

Modifies registry class 2 IoCs

Processes:

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	device.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

part.exesysdevice.exe

pid process

4716 part.exe
4716 part.exe
380 sysdevice.exe
380 sysdevice.exe

pid	process
4716	part.exe
4716	part.exe
380	sysdevice.exe
380	sysdevice.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exepart.exe

description	pid	process	target process
PID 3316 wrote to memory of 2340	3316	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 3316 wrote to memory of 2340	3316	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 3316 wrote to memory of 2340	3316	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 3316 wrote to memory of 4628	3316	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 3316 wrote to memory of 4628	3316	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 3316 wrote to memory of 4628	3316	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 2340 wrote to memory of 1128	2340	device.exe	WScript.exe
PID 2340 wrote to memory of 1128	2340	device.exe	WScript.exe
PID 2340 wrote to memory of 1128	2340	device.exe	WScript.exe
PID 2340 wrote to memory of 4716	2340	device.exe	part.exe
PID 2340 wrote to memory of 4716	2340	device.exe	part.exe
PID 2340 wrote to memory of 4716	2340	device.exe	part.exe
PID 4716 wrote to memory of 380	4716	part.exe	sysdevice.exe
PID 4716 wrote to memory of 380	4716	part.exe	sysdevice.exe
PID 4716 wrote to memory of 380	4716	part.exe	sysdevice.exe

C:\Users\Admin\AppData\Local\Temp\fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\device.exe
C:\Users\Admin\AppData\Local\Temp\device.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\part.exe
C:\Users\Admin\AppData\Local\Temp\part.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\sysdevice.exe
C:\Windows\system32\sysdevice.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 752
5⤵
- Program crash
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1044
5⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
2⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 380 -ip 380
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 380 -ip 380
1⤵
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\device.exe
Filesize
22KB

MD5
3579f05e7e1cff412674acec362b88d2

SHA1
9105b456d90b17bd00d4e6385222120b9352ad4d

SHA256
4a789f6d809fe94c8192b6cab843d89fc142f6c2e2bab53504a7450f70f91d3a

SHA512
0436b2f2178eeaec16af30640d439ef40e204be3673dd05b63d866755a04cbf63af5a75d37d6414b245eb44e609e1e3a427781bbc0baad743151d57a78139304

Download Submit
C:\Users\Admin\AppData\Local\Temp\part.exe
Filesize
13KB

MD5
4e208656781d3579104b17eeabc1e52c

SHA1
4dba53c0f1a82860562a64010345e7c1674e1313

SHA256
c311180fb753230292fc716c1940adf91485313521a53ec835a3d093b303727f

SHA512
7f9fd51bddbe4ba8c3df176457b80c52927aebc2d75941603419fd86119b64eff0064b175fe7bcdddaed81a8b7b1af7266126dc59211d3235299d1bbcb371001

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.vbs
Filesize
182B

MD5
99dee37e762756d28393116992973fda

SHA1
416881a428844842081d9248b6d411f3f189718b

SHA256
575e7ab3ad92622286f4b6a85541a82ef8f3184dea31a547e592bf2b6216b972

SHA512
eb014d471bfe17afdcc1650c5488197dd2bba55c36ee7526d9eaa3db982ec4c054499a00945908e6b6c323a135d33ba8c748225a4c20c41d3173212c9ac55a4f

Download Submit
memory/380-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/380-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2340-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3316-18-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4716-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4716-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads