e4a62b2f18d22b58a104c2976e2e5104606e470a064bdf7d0bb2b0e9aba84bf9

General

Target

35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe
Size

285KB
MD5

35320119bdf9b8953c68ffd5fd55a986
SHA1

832af2ba23d8c3dd725a9e6ad542e6118ed29dc6
SHA256

e4a62b2f18d22b58a104c2976e2e5104606e470a064bdf7d0bb2b0e9aba84bf9
SHA512

f029ea1f6ace487bb6ad4ecdbb92f8c86effd4c77c3fa8440e3f0bd786d6bcbcb54acc08bb51ff1e1ee34a5209c5008e0fef7868fec7520f90a3432452d25dd7
SSDEEP

6144:IkgmBi2yls2Yt8QFRpRaoI5/HJ1W97A4ck7g1Ok3rswn2fexNtqoWGDgE62W4oNf:IkgmBi2yls2YtInFTqoWGDgE62ucv25Z

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
836	pscript.exe
4160	pscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Miсrоsoft ® Windоws Based Scriрt Hоst = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Script Invoker\\pscript.exe"	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Miсrоsoft ® Windоws Based Scriрt Hоst = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Script Invoker\\pscript.exe"	pscript.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
	49	api.ipify.org
	50	api.ipify.org
HTTP URL	65	https://api.opennicproject.org/geoip/?bare
HTTP URL	47	https://api.opennicproject.org/geoip/?bare

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 836 set thread context of 4160	836	pscript.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4160	pscript.exe
4160	pscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe
Token: SeDebugPrivilege	4160	pscript.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 1664 wrote to memory of 4184	1664	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	88
PID 4184 wrote to memory of 836	4184	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	99
PID 4184 wrote to memory of 836	4184	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	99
PID 4184 wrote to memory of 836	4184	35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe	99
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100
PID 836 wrote to memory of 4160	836	pscript.exe	100

C:\Users\Admin\AppData\Local\Temp\35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Roaming\Windows Script Invoker\pscript.exe
    "C:\Users\Admin\AppData\Roaming\Windows Script Invoker\pscript.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Roaming\Windows Script Invoker\pscript.exe
      "C:\Users\Admin\AppData\Roaming\Windows Script Invoker\pscript.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\35320119bdf9b8953c68ffd5fd55a986_JaffaCakes118.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Script Invoker\pscript.exe

Filesize
285KB

MD5
35320119bdf9b8953c68ffd5fd55a986

SHA1
832af2ba23d8c3dd725a9e6ad542e6118ed29dc6

SHA256
e4a62b2f18d22b58a104c2976e2e5104606e470a064bdf7d0bb2b0e9aba84bf9

SHA512
f029ea1f6ace487bb6ad4ecdbb92f8c86effd4c77c3fa8440e3f0bd786d6bcbcb54acc08bb51ff1e1ee34a5209c5008e0fef7868fec7520f90a3432452d25dd7

Download Submit
memory/836-35-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/836-34-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/836-27-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1664-7-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1664-9-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1664-0-0x0000000074C72000-0x0000000074C73000-memory.dmp

Filesize
4KB

Download
memory/1664-2-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1664-1-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4160-36-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4160-37-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4184-11-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4184-8-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4184-10-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4184-26-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4184-4-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4184-28-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads