b2fb69fe5a4d38d7c2ee4c2a9aa7badac6f342ec93fca10de04a4d9b2893fa56

General

Target

51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe
Size

2.1MB
MD5

51ddbe4cbd6cf9e71ed36656961f62ac
SHA1

d4515419337741285e9ddefa13c4ad02f8dea4dd
SHA256

b2fb69fe5a4d38d7c2ee4c2a9aa7badac6f342ec93fca10de04a4d9b2893fa56
SHA512

3afee0f39b039b4551b77ea38029b5cef2aed7fd9db7f70bb8dd7a61e4abb4a5ec712bdfa92e3b20a8063db2440e4d13e1cf2547f59489d830b316563556fa99
SSDEEP

49152:rh5n9jt3/btUZhdrQ31JeuhO45Eg9wVwdOv:RFgrQ3j/g45Eg9wiOv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exenetprotocol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	netprotocol.exe

Executes dropped EXE 1 IoCs

Processes:

netprotocol.exe

pid process

2672 netprotocol.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

netprotocol.exe

pid process

2672 netprotocol.exe
2672 netprotocol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

netprotocol.exe

description pid process

Token: SeDebugPrivilege 2672 netprotocol.exe

pid	process
2672	netprotocol.exe

pid	process
2672	netprotocol.exe
2672	netprotocol.exe

description	pid	process
Token: SeDebugPrivilege	2672	netprotocol.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exenetprotocol.execmd.exevbc.exe

description	pid	process	target process
PID 3304 wrote to memory of 2672	3304	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 3304 wrote to memory of 2672	3304	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 3304 wrote to memory of 2672	3304	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2672 wrote to memory of 4840	2672	netprotocol.exe	cmd.exe
PID 2672 wrote to memory of 4840	2672	netprotocol.exe	cmd.exe
PID 2672 wrote to memory of 4840	2672	netprotocol.exe	cmd.exe
PID 4840 wrote to memory of 2040	4840	cmd.exe	reg.exe
PID 4840 wrote to memory of 2040	4840	cmd.exe	reg.exe
PID 4840 wrote to memory of 2040	4840	cmd.exe	reg.exe
PID 2672 wrote to memory of 2764	2672	netprotocol.exe	vbc.exe
PID 2672 wrote to memory of 2764	2672	netprotocol.exe	vbc.exe
PID 2672 wrote to memory of 2764	2672	netprotocol.exe	vbc.exe
PID 2764 wrote to memory of 2444	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 2444	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 2444	2764	vbc.exe	cvtres.exe
PID 2672 wrote to memory of 4596	2672	netprotocol.exe	netprotocol.exe
PID 2672 wrote to memory of 4596	2672	netprotocol.exe	netprotocol.exe
PID 2672 wrote to memory of 4596	2672	netprotocol.exe	netprotocol.exe

C:\Users\Admin\AppData\Local\Temp\51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
4⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5cw5qbrq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc146644CBE1D643E48C49B0CECC73878.TMP"
4⤵
PID:2444

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cw5qbrq.0.vb
Filesize
3KB

MD5
e40446114fd3a07083f484e14fcba4c4

SHA1
086fcf1aac441cbb6f59fa079b506aabb94a493c

SHA256
ec6b3348f5b776c8adaba5b50714667f393c693d1839bccf01385f7094d6c9ac

SHA512
4143d482b15938b44505f5e5ecba5c0080f83d8c29b84f4e93819afd5da1bf37327f16911ff1ace253b9167c514bf5422f1c85fa72cdbe7892180fe22e9b5cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cw5qbrq.cmdline
Filesize
224B

MD5
fa080edbf23f0fcb868afe7962cc80df

SHA1
fb8c07b067c28c7b8a4b78ca12b7d68c96b2d204

SHA256
22a4ae5f30994d5c001ee2e9199bdca6e84649c37b5d2415bba8e979af554d18

SHA512
f1fb45c9c5a8a0f4aef0187a6d77c4f0e68b7313d5d402327e076da7252a5e536d2ccfd8d62f88186e54e20e9cdebf6d2f7bab46ebc291b6eb8b7942b2fa1fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C5F.tmp
Filesize
1KB

MD5
84cd3a13af884e191ae6fb529dd0039c

SHA1
d880e5a608cf092c9874f9c12426b67ff846130f

SHA256
98faf04cb7bd535749e9f1093abdf7c77ac9e4731983d74528480efcce569684

SHA512
53f228e26d4654027debe70ef8f5c0e3cacabe3bcf73a638534e54d900fff2f938c49b698e3d018e6befcfa3a8c13d95fa858c743ba11067c58307fdd4a1a0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc146644CBE1D643E48C49B0CECC73878.TMP
Filesize
964B

MD5
52d9c8ba23ef6a3c6542be3c34f9adbf

SHA1
3bf7b4f0ba7ac08798c5f5c52d119f79c26017d3

SHA256
e7c06aca847231b51e5303b631cf78f34cd2fcb074a239267bc737258f6a5e9b

SHA512
6dc22e583b418ca4da2cb996f3bc1e18127d3849ca3fd175f580d34768e32eb12a3f4675a2a346b324e72845b870d42fa6397d2aeab305dd08a2eac9f3fe57a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
Filesize
2.1MB

MD5
51ddbe4cbd6cf9e71ed36656961f62ac

SHA1
d4515419337741285e9ddefa13c4ad02f8dea4dd

SHA256
b2fb69fe5a4d38d7c2ee4c2a9aa7badac6f342ec93fca10de04a4d9b2893fa56

SHA512
3afee0f39b039b4551b77ea38029b5cef2aed7fd9db7f70bb8dd7a61e4abb4a5ec712bdfa92e3b20a8063db2440e4d13e1cf2547f59489d830b316563556fa99

Download Submit
memory/2672-20-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2672-18-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2672-17-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2672-37-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-25-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-34-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3304-0-0x0000000074712000-0x0000000074713000-memory.dmp

Filesize
4KB

Download
memory/3304-19-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3304-2-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3304-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing