4f0dbc194d79df6349075e392471ffe8c73676f3b5653b1fef011f97292f0e7c

General

Target

48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe
Size

789KB
MD5

48881f9f6d605bd8afbc9c54fe267511
SHA1

f77f719736577af8f82a742716fc1ff856f37ee3
SHA256

4f0dbc194d79df6349075e392471ffe8c73676f3b5653b1fef011f97292f0e7c
SHA512

0d813da9f669190bc8d7f2a537e770731fa4eb2ac416c1c3d9dca35991d892c8caaead1f5ebace939f36ee774d4c6d5738d918908336f18751fb0492fb058161
SSDEEP

12288:itobbXN42nHq+EgqfRAUEcB3gOE6DZlZUXavlXluE70pFdZigcyrG4EEu44na:it8RHjEgYAw1hZlZTWQu7igcyKPEuja

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
964	48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe
3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe
3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe
3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3628	964	48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe	83
PID 964 wrote to memory of 3628	964	48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe	83
PID 964 wrote to memory of 3628	964	48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe	83
PID 3628 wrote to memory of 1056	3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe	98
PID 3628 wrote to memory of 1056	3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe	98
PID 3628 wrote to memory of 1056	3628	internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Local\Temp\nsi42A8.tmp\internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsi42A8.tmp\internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi42A8.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12094.bat" "C:\Users\Admin\AppData\Local\Temp\29E4DBEA3BA845468B9D6D5BB85B930C\""
    3⤵
    PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$I5YYOQL

Filesize
98B

MD5
5ffcefe4c828bc08ca001e38e74ce811

SHA1
37aa361d58e3b6988a156acdbea99feb754a84af

SHA256
c04ef8a459c1f24fbeee51230647e96b03adf3810c156f8e84af58d92d54e74c

SHA512
fc706b8106f699268253ba8bd023f5f0eba6955cda4ad2b338d418b8802ea55aff6ed92bc6656086734b3d61d6d07bcdf001f28924f8a0b8d12e10e2b3983759

Download Submit
C:\Users\Admin\AppData\Local\Temp\12094.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\29E4DBEA3BA845468B9D6D5BB85B930C\29E4DBEA3BA845468B9D6D5BB85B930C_LogFile.txt

Filesize
10KB

MD5
6123b1b2c4b7adcd9fab15cd99b1ced9

SHA1
6386a61c459f02820569b0f802084a14d350324f

SHA256
66d8717879666d726b77e08e46756d5b4dbdfa2c61933e4491356dacb6ffe466

SHA512
8584f0b142298f6edec20c0c584008bea7eaa29968ad7f1edb9e59ec01dc8750ef9cbb4ca8efe316d1122b553b7422d85758ab27733076d28cf2fd638768e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\29E4DBEA3BA845468B9D6D5BB85B930C\29E4DB~1.TXT

Filesize
109KB

MD5
655790e060b3f8391abc941757abc9cc

SHA1
c24b52f64e0af319ea90766443cd1f8828233e19

SHA256
e86110b255163b9f3678f5bd7dd65b2248145178840cc554d3c00a9c3f3cd8f8

SHA512
12c8d660a6ea7ffd35125df0e1b70027cfe6c8a210889aaa196629373f3c0a1f2344ee9dd62a0385da1f5511652679d8cc2867b08a197f5153954f6e0bd56874

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi42A8.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi42A8.tmp\internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118.exe

Filesize
1.8MB

MD5
9ab5db4bb5971035b4d287d64f9676b5

SHA1
33d17f016339572dd05c124d6243fffefd0cd039

SHA256
f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209

SHA512
d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi42A8.tmp\internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118_icon.ico

Filesize
17KB

MD5
055c2cb77fa2edc2802b7fd397b9c213

SHA1
e6bf5af3427539bf609cfb8904b35803a06104d3

SHA256
78d0ed2288334f341225acee3d6200d01bb0bb80b873c448ab151d0661817bf2

SHA512
7dc2930b9ac4843cca0a073a9195ab0cfb684b29c13622d0f934fb4b4a45af0fbb3a033f6ba31216214a9cbc1966436c36dd065c44b014c5c2a03dfd0b005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi42A8.tmp\internal48881f9f6d605bd8afbc9c54fe267511_JaffaCakes118_splash.png

Filesize
12KB

MD5
fe272d040e82704707b19bfbf29d65ca

SHA1
460de628ea63986a7e6390a1623d8ba32dc82aee

SHA256
1cb036da61dc7b1ad62280681c724d74cbcc313d530a799728a4d38b4e2b1983

SHA512
8a03f9f3ce7af53b2f119f9bd001ff3fd39f879de88723306e2a6c7e8cae679d2095be6d4520ea24035c86140ef01a178a0b2535674be5c39b8b2dde4d082b1b

Download Submit
memory/964-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/964-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-76-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/3628-212-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing