b8800de7bb902faf5cc115ae5aa9a66dae51340e6cf8eeff2cb4f07e5f153256

General

Target

0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
Size

846KB
MD5

0c6640148fef4e4485f31c3c713e9361
SHA1

3fa0532ed6e3d8fd03eb3b93a293ef7a77b6163f
SHA256

b8800de7bb902faf5cc115ae5aa9a66dae51340e6cf8eeff2cb4f07e5f153256
SHA512

76bd09eba20a457506e0c6fa95cacd1625bdfc9a7a4a9d6b988eed7cbae3ce25033d5320a388b92b3cd30b741778495627b2ce6eef1a32d667b477e1bf526d1f
SSDEEP

24576:FtWEmllf2nhgPqqCO84G3bHkTwtcTBCQ2u2D:F+KxtEG3bHkM412u2D

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3020	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 3780	3868	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	89
PID 3868 wrote to memory of 3780	3868	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	89
PID 3868 wrote to memory of 3780	3868	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	89
PID 3780 wrote to memory of 1640	3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	98
PID 3780 wrote to memory of 1640	3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	98
PID 3780 wrote to memory of 1640	3780	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	98
PID 1640 wrote to memory of 3020	1640	cmd.exe	100
PID 1640 wrote to memory of 3020	1640	cmd.exe	100
PID 1640 wrote to memory of 3020	1640	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\nso1D2.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nso1D2.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso1D2.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso1D2.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16642.bat" "C:\Users\Admin\AppData\Local\Temp\F1CAC1D72CBC47B88421E19E5DEF5D2E\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16642.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1CAC1D72CBC47B88421E19E5DEF5D2E\F1CAC1D72CBC47B88421E19E5DEF5D2E_LogFile.txt

Filesize
9KB

MD5
79d866eec267b58cb8b7ea41ae9d832d

SHA1
0df474ea4046bb25af35de3f997f661be9f9e059

SHA256
89dffa418bb96384e698858baedeee0a9ae3671e5bb15bce8b87dfd732ba2b8f

SHA512
cb40e03c338803891dc661f0e4332b9bfbc988e102c7910e1774ff09c868bf1ebf8236ed4781c23a766920f10933d7a3476ea745a1a387e0cd3ff3573d8a5dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1CAC1D72CBC47B88421E19E5DEF5D2E\F1CAC1~1.TXT

Filesize
111KB

MD5
18703f9cda8bab94b1963b6559042d51

SHA1
128158f25dca3bb640f048f2e5d73abd4e2a2ea5

SHA256
f2551fe36ee55c1cfce7663d267220ab19791252b4194c7a84976882e4ef2bfc

SHA512
7221da246d57aecb79982d5e0dcd7275c2218c0af99cccef33ce15cd1212dc86b4966d8eb36a7bad615bc5e0ff81cbb7eb34dd7ef0104a493b1cf3ba86173850

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1D2.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Filesize
1.8MB

MD5
b1d671736e8e4afd77b6a84f52a85165

SHA1
3392417c0f9ed0a3b0c3bac4b66f22ed459b29dd

SHA256
9cffb8f38ca1ff1c7a6244e17dee39d8d379ba5816ced18aeadd91b46aa4a37c

SHA512
4ef78e54759f0a829daea4f79b75827dba6bf6a05666154112b535922a822152df40db2f2fca71fbfcf48ed8f3e730597a936bd8e40dc6192874c1608259b299

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1D2.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118_icon.ico

Filesize
17KB

MD5
055c2cb77fa2edc2802b7fd397b9c213

SHA1
e6bf5af3427539bf609cfb8904b35803a06104d3

SHA256
78d0ed2288334f341225acee3d6200d01bb0bb80b873c448ab151d0661817bf2

SHA512
7dc2930b9ac4843cca0a073a9195ab0cfb684b29c13622d0f934fb4b4a45af0fbb3a033f6ba31216214a9cbc1966436c36dd065c44b014c5c2a03dfd0b005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1D2.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118_splash.png

Filesize
12KB

MD5
fe272d040e82704707b19bfbf29d65ca

SHA1
460de628ea63986a7e6390a1623d8ba32dc82aee

SHA256
1cb036da61dc7b1ad62280681c724d74cbcc313d530a799728a4d38b4e2b1983

SHA512
8a03f9f3ce7af53b2f119f9bd001ff3fd39f879de88723306e2a6c7e8cae679d2095be6d4520ea24035c86140ef01a178a0b2535674be5c39b8b2dde4d082b1b

Download Submit
memory/3868-113-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3868-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing