4e9733bb0f1a9247ee403e06319f11aae4cc67f4b3ef7f2c6ef73830f18abbf4

General

Target

ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe
Size

14KB
MD5

ffb8daa3a49fe113c4f3a4e0ed785b65
SHA1

cfa0ccea08f9e3c7c5f7a658e6790f9ac469524e
SHA256

4e9733bb0f1a9247ee403e06319f11aae4cc67f4b3ef7f2c6ef73830f18abbf4
SHA512

4bbb921d9b1524a2cd1bd5f9b839101213658583ab1cc3cb2f692db93a39110c2797d5d7ef718d7ed66c5249d2c28517f927e06ba7060d01016559badbd10579
SSDEEP

384:byi8T5ePaOaNJawcudoD7UGaMMIeM4m7L:byXTKsnbcuyD7ULP2L

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 1 IoCs

pid	Process
4328	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4752-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4328	4752	ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe	89
PID 4752 wrote to memory of 4328	4752	ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe	89
PID 4752 wrote to memory of 4328	4752	ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe	89
PID 4328 wrote to memory of 3980	4328	b2e.exe	90
PID 4328 wrote to memory of 3980	4328	b2e.exe	90
PID 4328 wrote to memory of 3980	4328	b2e.exe	90
PID 3980 wrote to memory of 2548	3980	cmd.exe	93
PID 3980 wrote to memory of 2548	3980	cmd.exe	93
PID 4328 wrote to memory of 228	4328	b2e.exe	94
PID 4328 wrote to memory of 228	4328	b2e.exe	94
PID 4328 wrote to memory of 228	4328	b2e.exe	94

C:\Users\Admin\AppData\Local\Temp\ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\217D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\217D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\217D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\ffb8daa3a49fe113c4f3a4e0ed785b65_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BBE.tmp\batfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.regiedepub.com/cgi-bin/advert/getads?x_dp_id=43
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4124 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4000 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5056 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5456 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5884 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5896 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\217D.tmp\b2e.exe

Filesize
8KB

MD5
6a7329f15480d4ca075dd593c7572d14

SHA1
cbe94a895b719efdb2309e2d3cdd469c5c5fef55

SHA256
50c8fe18a33985b19b5a88d9d6d94193079aea9cfaa89be9b28ec771e04e4670

SHA512
ba0a5b9fa41faadebe8124d44e03bb05fb5e6a9eec4052c90fc2d30852200e789b6183afd9deeea64c8aa944b8f28d6ef983dd64f1aaf581d930a98d5240f874

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BBE.tmp\batfile.bat

Filesize
77B

MD5
ba7c5c724c70ee9f04c4933b18083e49

SHA1
d6c6dcbe9cbfb829296dc21ff41292cac64fdc9c

SHA256
aad13997529ce15c8b987178057a01b5e8236f0daf5b94f29dabaa778105388c

SHA512
d34f0f812c72580e1c505da5dfa636e18fea800cbf36e2ed11bfc423cf7a871981991b3a7e65e45b54aeb15f3f37f8eaef2e408a03585f2c46c95fbcbf63e09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
97586cb81404db706627e1827edcd580

SHA1
e01ddf201445ede870cd9a9f2c4ceb263761f435

SHA256
5bd2da8a6f3cc19b88a424ff1132d421a19409250d1b4c63494196e9e491ab13

SHA512
9965230bf20fbc2208ec99e86cc468b51b9990835c0924533b18c4062b9f7d339960611713545dc4f507e430325e1f01f530e53af9f82f15bf8a52d6102d1047

Download Submit
memory/4328-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4328-19-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4752-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing