4652853b89746a272a790d68dab0d9928479deaf47b6e637d1527be88581c684

General

Target

65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
Size

783KB
MD5

65dccf8a8e79cdffd9503b7bb02a214b
SHA1

05e5f36b30eea224f854512cc51711c0dd946cf4
SHA256

4652853b89746a272a790d68dab0d9928479deaf47b6e637d1527be88581c684
SHA512

2d04b9bc4050afde8f219735916baf27a1d0cdf68aec8d9c7cea856bb50c7da308d4377ce8f2ec58bdff0e5342ebfe697cec1bbd5e9f1fcb72c2be5375ab6662
SSDEEP

12288:78gvKPTYu3Rt1EzCT0r42brU/kcKXIMq0VumwNn6ciC:70TNRtm9nrU/YXSms7i

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protected.lnk WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protected.lnk	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Protected = "C:\\Users\\Admin\\AppData\\Roaming\\Protected.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

description	pid	process	target process
PID 1136 set thread context of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1136 wrote to memory of 2724	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	cmd.exe
PID 1136 wrote to memory of 2724	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	cmd.exe
PID 1136 wrote to memory of 2724	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	cmd.exe
PID 2724 wrote to memory of 1852	2724	cmd.exe	reg.exe
PID 2724 wrote to memory of 1852	2724	cmd.exe	reg.exe
PID 2724 wrote to memory of 1852	2724	cmd.exe	reg.exe
PID 1136 wrote to memory of 3924	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	WScript.exe
PID 1136 wrote to memory of 3924	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	WScript.exe
PID 1136 wrote to memory of 3924	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	WScript.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
PID 1136 wrote to memory of 4688	1136	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe	65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Protected" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Protected.exe" /f & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Protected" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Protected.exe" /f
3⤵
- Adds Run key to start application
PID:1852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Protected.vbs"
2⤵
- Drops startup file
PID:3924

C:\Users\Admin\AppData\Local\Temp\65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65dccf8a8e79cdffd9503b7bb02a214b_JaffaCakes118.exe"
2⤵
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protected.vbs
Filesize
486B

MD5
2587877cb2996938e84649661163fda6

SHA1
b1006953effd236ab7be0b929a1e872555c37695

SHA256
238414d41f9d60a68b00842373a3a0b98b65737bb8ae0d47dc5cf7b5e675c96c

SHA512
87b618f3add9d4ef833bce46ae2c8eeb3dd2598445676b1dffddb1971020994dcd0a8ae7ea05d3d1cbbe312787d2df76d5cf300f6efd65faeffb70c574d96d03

Download Submit
memory/1136-0-0x0000000075052000-0x0000000075053000-memory.dmp

Filesize
4KB

Download
memory/1136-1-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/1136-2-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/1136-3-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/1136-4-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/1136-14-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4688-12-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads