16f84f42ff2c8d125ee12064df2e56258ff5c6631657ea82b5152d1abf436a7c

General

Target

4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
Size

1.1MB
MD5

4c2899e3612b47b1857660cc1c143337
SHA1

5574d0e42e8ab7d37457e5367538b835fb39f702
SHA256

16f84f42ff2c8d125ee12064df2e56258ff5c6631657ea82b5152d1abf436a7c
SHA512

7ea8c8a96c3f9cfc5be513de13efdc03d6d8ebd12560cc9664cdbaa4930ab870a6122333fc6a9eb00de91b494f9a60192400058fa187c647e8c821d74e695cbd
SSDEEP

24576:DtUf7HUexbctvDygPwXyseJkQOgmfhaXy/d3iC:hUjHFg4SOvhai/d3iC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2036	starter.exe
4024	ArcadeYum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ArcadeYum.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	ArcadeYum.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
4024	ArcadeYum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	ArcadeYum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4024	ArcadeYum.exe
4024	ArcadeYum.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2036	1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe	83
PID 1920 wrote to memory of 2036	1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe	83
PID 1920 wrote to memory of 2036	1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe	83
PID 1920 wrote to memory of 4024	1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe	86
PID 1920 wrote to memory of 4024	1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe	86
PID 1920 wrote to memory of 4024	1920	4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" cHAPG5DIBUSvBpgrUIBM 936
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9Y0hBUEc1RElCVVN2QnBnclVJQk0gL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MSAvQnJvd3Nlcj0zIC9BZExvYz05MzYgL3RwZD1odHRwOi8vZDEuYXJjYWRleXVtLmNvbS9hai9idW5kbGUvOTM2Lz9wPVlUTTVNREU1TlRZeE1EaDQzSGM4MXB0aHVTQnpUaFljJTJCVElNeXJ2dEZWNFV0aEpSdHI5bFpMMXJGVjVGODd0Q0ZKbnRyTzFUTTVYb1M5JTJGJTJGZTlYa2EwMGFrQUh6cXd5R2JlR2IgL29wdGltaXplR0M9MCAvdXNlck5hbWU9QWRtaW4gL3VzZXJTSUQ9Uy0xLTUtMjEtMzU3MTMxNjY1Ni0zNjY1MjU3NzI1LTI0MTU1MzE4MTItMTAwMAo=
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
883KB

MD5
e07405c65124e2d72f0c9b306018bc90

SHA1
f30c1ba999eadcd5bce7473a6b3686e1ea048371

SHA256
89ad981c161033a9465b6592c8467d565f53e2f7024ddc530a93c071a87c1951

SHA512
fd7b3c53a407ad653052347cad109ebe5f815c13083a6b120647ac869ac971afa0993cffd2b1c4a1f7fb38cdd36e60e24ce6a646566fbb58c82bb662dbed329e

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

Filesize
231B

MD5
ae437dea18c61477cc2f17f46fb11d01

SHA1
94afba8148c6072ad60c6899ed717005681e9da5

SHA256
d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754

SHA512
61ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

Filesize
74B

MD5
7ae5c0861d4469baaeff248a6ef1599f

SHA1
0124d99a8c1838c88244cae646347c4b990a5d2d

SHA256
fd87de948e97f01f9d47c6400bd57529e53533360af36df9339e541ca14c5a2d

SHA512
0e9041d2ff419f393b002bf6dca0c3450ded4566ced694528ef29e46ff39a7cbdb80072b341a6e731fc031797d9b6049825b0dab0c4780c872d8c838ad705656

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
1007KB

MD5
e220811a7ef3de31f3ca80aed1dd7b9e

SHA1
9dc84732b3d2c548d6b2bf44148431303e7e0bff

SHA256
a91308356f129901c9a07f0537a08525f788f8d78b4c406dc9abe826d13eb1b5

SHA512
29fe6046a3898566167d4d4a5ea8804af6da547c81013d2c0968a19c1f871fc59b873d5769ce6d85ae3a9f7f61e7b05c72b4d5a368e8f6561b3d2b8a6e21d2fa

Download Submit
memory/4024-20-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/4024-19-0x0000000000C90000-0x0000000000D72000-memory.dmp

Filesize
904KB

Download
memory/4024-18-0x00000000739BE000-0x00000000739BF000-memory.dmp

Filesize
4KB

Download
memory/4024-21-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/4024-23-0x00000000739B0000-0x0000000074160000-memory.dmp

Filesize
7.7MB

Download
memory/4024-22-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/4024-24-0x00000000739B0000-0x0000000074160000-memory.dmp

Filesize
7.7MB

Download
memory/4024-25-0x00000000739B0000-0x0000000074160000-memory.dmp

Filesize
7.7MB

Download
memory/4024-28-0x00000000739BE000-0x00000000739BF000-memory.dmp

Filesize
4KB

Download
memory/4024-29-0x00000000739B0000-0x0000000074160000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads