4e7b5b4c5d512792e40674261bdb140c665ec1d2ad9c59ba62488105926d3e27

General

Target

03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe
Size

1.1MB
MD5

03d2c7448c7fadf76e92549fe87cfb51
SHA1

41a97a2b3f07d2855825eb334e5ab5b3e7b2a226
SHA256

4e7b5b4c5d512792e40674261bdb140c665ec1d2ad9c59ba62488105926d3e27
SHA512

c5e241dffc86bc9f6a5567243a3b71efca36ae146f58a15c86505726b7f394167fc03b92e520e1832bc2f02edab06004f7c7fed082a39cc7d078cc5b4a7d6bba
SSDEEP

24576:D9f06aiwrFnio0DQuJRSjlVJrztBSP7w69jF1+0uq0tW:xs6aiwJiBIlVbBn6BF1Wq0tW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4796	starter.exe
4120	ArcadeYum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ArcadeYum.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	ArcadeYum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ArcadeYum.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe
2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe
4120	ArcadeYum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	ArcadeYum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4120	ArcadeYum.exe
4120	ArcadeYum.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4796	2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe	81
PID 2320 wrote to memory of 4796	2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe	81
PID 2320 wrote to memory of 4796	2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe	81
PID 2320 wrote to memory of 4120	2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe	86
PID 2320 wrote to memory of 4120	2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe	86
PID 2320 wrote to memory of 4120	2320	03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d2c7448c7fadf76e92549fe87cfb51_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" erAPE5064440doMIuCBL 934
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9ZXJBUEU1MDY0NDQwZG9NSXVDQkwgL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MSAvQnJvd3Nlcj0xIC9BZExvYz05MzQgL3RwZD1odHRwOi8vZDEuYXJjYWRleXVtLmNvbS9hai9idW5kbGUvOTM0Lz9wPVlUTXdPRE0wTVRBeU1qaDQzSGM4MXB0aHVTQnpUaFljJTJCVElNTW9GNVZrbWF6WlZzbUZDNDZCTEU4ZDA4b0ZSV2ZjNE5RZ0pZdEklMkJNSXM3SFdBVSUyRkJNOGRNSTAlMkZXUkp1RHo5SiAvb3B0aW1pemVHQz0wXDBMQkN1SU1vZDA0NDQ2MDVFUEFyZUxCIC91c2VyTmFtZT1BZG1pbiAvdXNlclNJRD1TLTEtNS0yMS0zOTA2Mjg3MDIwLTI5MTU0NzQ2MDgtMTc1NTYxNzc4Ny0xMDAwCg==
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
884KB

MD5
dfda1c89e2b9945e717957c0799fa935

SHA1
1217d0759b8006f250a1ce7b921abf14ba93aa96

SHA256
cc8ca59dd4f2fe5027790fc92ec3c488956e4d2b2b161107f11fc9aef8053a18

SHA512
9939f2c757b0a183cd66abf81bd54d91e9042f44ad257402ff5f8f8f5a7dc41d6616a0a5c8842df1daf3b6396dccebe404e02d1c0e308690b05df49d23cdf5c1

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

Filesize
315B

MD5
acd39163e3bd0fa14d38bf71f7961fb9

SHA1
7466c306f923f35100997f9d46c5048f191e52a4

SHA256
a966ecb64a2935f44d4b506dd3bac8261c12e1e2b109d6b9197ef01980944f9a

SHA512
4f7cea360b7ee4e8c35534e9ae5f1d65cbdaa320fecbc9916bae566421de3237a899a3f288966f203832111b5e25ed817cc7a895b5c8e58199bad008749162ec

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

Filesize
74B

MD5
ce643dca3c66daa0dcbbf8c3dfb50ed0

SHA1
b0c3be730a5356fd9a7ed19d5d8dd74c85c000f2

SHA256
2b1df258d0388042a78cc86495c09265f66c429cbc0a018bdba39baa489ea77b

SHA512
1beb6180498b736a96d4ababaed6bc65a305beb22695fd06fad97f3e2bbc10c3ae738a0e17c81eba3eb26a20a13835f27e526fbdbe26228a2d54fa918831f47b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
1009KB

MD5
5192e79a2f370aa3e8986a8a6573c97f

SHA1
25f0f0eb5889168c7f9da0befaaa7dbbdac5eda3

SHA256
427781fe5dc69aaae5b1afeef42a1455bb5244870eb21524da41ff65cdb9d55a

SHA512
e1d56d739a817c8889e78363896f3a50e8f781425af2e96998ff35c38b9bf540d146db1900405677e2269961ae7ede19a85cbf500b68d74eb1d81a26453f7f3f

Download Submit
memory/4120-22-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4120-19-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/4120-20-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/4120-21-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4120-18-0x0000000000A80000-0x0000000000B62000-memory.dmp

Filesize
904KB

Download
memory/4120-23-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/4120-24-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4120-27-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4120-28-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/4120-29-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4120-30-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4120-31-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads