18bb890d50e9710a88cd4aee0796c71d3fc9d51ec424040cb00558ae8aab5573

General

Target

1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
Size

1.6MB
MD5

1378623c54577c3c86bc3aa614a0917e
SHA1

cd6e385e98074837f7e9f0c4bf48402429857408
SHA256

18bb890d50e9710a88cd4aee0796c71d3fc9d51ec424040cb00558ae8aab5573
SHA512

7994210e6dfa6698f21e2be4f3202aa1b325b8613e2637b02a47a0c86189a13ae1a3dd577b92060a4838011b37ca2e453729960324e593249d8f9a0c1f0d55f4
SSDEEP

24576:iQi/T0gH3m4C4kOudJDcPXgejld25qbqLlJXkluJoz3KpTsBNkdSnMBTlP0Qjcpz:i9r0gXm4CgAtcPXyq2pJXkkorkSGpfE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Executes dropped EXE 3 IoCs

pid	Process
4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
748	msnetcore.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	msnetcore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	msnetcore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	msnetcore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	msnetcore.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-QQTSE.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msbuild.exe	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnet.exe	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-TR37L.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-5D3GV.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-N0EIR.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3176	taskkill.exe
1528	taskkill.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	msnetcore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
748	msnetcore.exe
748	msnetcore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4828	3184	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	83
PID 3184 wrote to memory of 4828	3184	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	83
PID 3184 wrote to memory of 4828	3184	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	83
PID 4828 wrote to memory of 1712	4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	84
PID 4828 wrote to memory of 1712	4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	84
PID 4828 wrote to memory of 1712	4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	84
PID 4828 wrote to memory of 3176	4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	85
PID 4828 wrote to memory of 3176	4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	85
PID 4828 wrote to memory of 3176	4828	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	85
PID 1712 wrote to memory of 5056	1712	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	87
PID 1712 wrote to memory of 5056	1712	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	87
PID 1712 wrote to memory of 5056	1712	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	87
PID 5056 wrote to memory of 1528	5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	88
PID 5056 wrote to memory of 1528	5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	88
PID 5056 wrote to memory of 1528	5056	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	88

C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\is-NM969.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NM969.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp" /SL5="$80160,1431047,56832,C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe" /VERYSILENT /SP-
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\is-1IUOQ.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1IUOQ.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp" /SL5="$501D2,1431047,56832,C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe" /VERYSILENT /SP-
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3176

C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe
"C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\v2.0.507279\corecfg.ini

Filesize
259B

MD5
f42aa406ed306b8d00ed512de90068ae

SHA1
364bee70880dbee1c070c25f95037a4882fcf08d

SHA256
195fe5db844cdf13e7ee1e4bae3b0cec6a2b24659b482c42af76cbde59eb8b33

SHA512
6ddd5a43e55348290a47dceeacc8821ceef1791c1af6a709f338663f8693b312acd8ceecf0b1b55d2c861d34860777d1728f49381a9a75333904e6f8a87ce012

Download Submit
C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe

Filesize
3.3MB

MD5
fd3fa916884a91bf26c86101900854f6

SHA1
124a4242eb33c30146598411f1fa62b3f7c9c05b

SHA256
a9c3a00a801e5d3abaaed4c1adf21ea38803f80bc9575651f821323b54372968

SHA512
16e46f382f0ae1aff3d6aad04bc464eba261baa29d0b1f0ca0a3c290f23e239cf82485bbc3bcf0baa32b595478ea3fded18532653b3d08bc1e04adb6c28c475c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NM969.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TG37R.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/748-82-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/748-135-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/748-119-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/748-95-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/748-132-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/748-45-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1712-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1712-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1712-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3184-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3184-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3184-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4828-7-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4828-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5056-28-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5056-42-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing