dae206ef85bbd2a419c6c1e616c3e42fb298b21a332a32123c5e6b46518c37d8

General

Target

63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe
Size

4.6MB
MD5

63f58a03206b8df91e6ea443b7ee2b47
SHA1

bbaf76a0543914a0880ce7abf9c1a1a301cd6a7b
SHA256

dae206ef85bbd2a419c6c1e616c3e42fb298b21a332a32123c5e6b46518c37d8
SHA512

d3698a5ea7140b3128df731e687a48141c0a7e76c16a31ba0a7cfae9fa770b517720efd062729ebeec80892394608ebc0b3e08038cfca5969d4ecd156aed18bd
SSDEEP

98304:YErpgKZV1h8JyBiNLc5+Jd1mGoM7wdf+Hqg1nmV2HZCkS73P2E9Ak0gK:3pTfpBiN8+Jd13kdGHnF5TMVAk0T

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

supoptsetup.exesupoptsetup.tmp

pid process

4764 supoptsetup.exe
548 supoptsetup.tmp
Loads dropped DLL 5 IoCs

Processes:

supoptsetup.tmp

pid process

548 supoptsetup.tmp
548 supoptsetup.tmp
548 supoptsetup.tmp
548 supoptsetup.tmp
548 supoptsetup.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4764	supoptsetup.exe
548	supoptsetup.tmp

pid	process
548	supoptsetup.tmp
548	supoptsetup.tmp
548	supoptsetup.tmp
548	supoptsetup.tmp
548	supoptsetup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

supoptsetup.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	supoptsetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	supoptsetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe

pid process

1184 63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe
1184 63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe

pid	process
1184	63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe
1184	63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exesupoptsetup.exe

description	pid	process	target process
PID 1184 wrote to memory of 4764	1184	63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe	supoptsetup.exe
PID 1184 wrote to memory of 4764	1184	63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe	supoptsetup.exe
PID 1184 wrote to memory of 4764	1184	63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe	supoptsetup.exe
PID 4764 wrote to memory of 548	4764	supoptsetup.exe	supoptsetup.tmp
PID 4764 wrote to memory of 548	4764	supoptsetup.exe	supoptsetup.tmp
PID 4764 wrote to memory of 548	4764	supoptsetup.exe	supoptsetup.tmp

C:\Users\Admin\AppData\Local\Temp\63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63f58a03206b8df91e6ea443b7ee2b47_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\supoptsetup.exe
C:\Users\Admin\AppData\Local\Temp\\supoptsetup.exe /MMJS /startup=0
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\is-F63RF.tmp\supoptsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F63RF.tmp\supoptsetup.tmp" /SL5="$11005C,3981671,221184,C:\Users\Admin\AppData\Local\Temp\supoptsetup.exe" /MMJS /startup=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-F63RF.tmp\supoptsetup.tmp

Filesize
1.2MB

MD5
531d4252ae063008bd6e38aa582644fd

SHA1
0deaa1d2eb91c6ce251d1a47c9541cc28e91c028

SHA256
b4ba314ea7e972ce63c30f63150039b91fab004a4069c8cf6eafd46db1ba9775

SHA512
075851d248a859e771a0b36b89340c093b4a66da691b805140d619908ed05fe7c03619d82cce7eeb1e6aeb01443dc1de558f5d9d13d9f17560fd9fa0d85b126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQIH1.tmp\SupOptHelper.dll

Filesize
1.2MB

MD5
f8effd4170e2d87ac5cbde8041b7ca35

SHA1
fa6d17177d7735ba2b3ecc419a2c948228c985a2

SHA256
3d7368ad358eabc3b6eec988fb5a0acf4acf112e3fb5ed2ef686ed05e2c6104d

SHA512
c01e4de0cae3d5c43a511c9abdfebe8b61a4dc129cbb075e8d8654255cf7dadd4c301aec12a1c78f442810b82ee81e97fb4754dd884316a27d3ce3873c11bdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQIH1.tmp\idp.dll

Filesize
228KB

MD5
9a83f220bf8ca569e3cfa654539a47a4

SHA1
9d1fb7087c12512d5f66d9d75f2fbae8e1196544

SHA256
b1c4c9b2dd6a40974fa8789b218b52d967f5ccd1b47e95b4f6bda4b6ce864d0d

SHA512
9b6460aca9720a4762a28e78a0e5f3e7358f73383926caf7f4a071e66c79f1032abd131432387f108de27894c147e2f34f01b094b6688826ce78f007d9dafbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQIH1.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\supoptsetup.exe

Filesize
4.3MB

MD5
e3d5964930d6ea237b8c8a756082ac66

SHA1
b26c206b2f4ec04746d883bff9ed61bbacef2e20

SHA256
65e229c4bfb3fb359fb06ef19b45613e368972c450b2b214e75517331105e096

SHA512
1118dfe4b83f7292b4a1e3b26a1ae4e4556114547c347969730487dc5ac7a18b629d9cc373284d30c512a8ba09af2f6aa2a06bb0bc005fff2cd26607fd5b00fe

Download Submit
memory/548-10-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/548-24-0x00000000033A0000-0x00000000033DC000-memory.dmp

Filesize
240KB

Download
memory/548-29-0x0000000004130000-0x0000000004277000-memory.dmp

Filesize
1.3MB

Download
memory/548-31-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/548-33-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/548-34-0x00000000033A0000-0x00000000033DC000-memory.dmp

Filesize
240KB

Download
memory/548-35-0x0000000004130000-0x0000000004277000-memory.dmp

Filesize
1.3MB

Download
memory/4764-4-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4764-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing