5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5

General

Target

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
Size

661KB
MD5

69715a3737689f3af82dc9fe678daeaa
SHA1

10cec059bb7fc0a6aadf00c7e5c67c642d1115dc
SHA256

5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5
SHA512

752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca
SSDEEP

12288:faWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8ri6a:CaHMv6CorjqnyC8r2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2700 svchost.exe
508 svchost.exe

pid	process
2700	svchost.exe
508	svchost.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2328-0-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Roaming\svchost.exe	autoit_exe
behavioral2/memory/2700-21-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 2328 set thread context of 1524	2328	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2700 set thread context of 508	2700	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exesvchost.exe

pid process

1524 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
508 svchost.exe

pid	process
1524	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
508	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 2328 wrote to memory of 1524	2328	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2328 wrote to memory of 1524	2328	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2328 wrote to memory of 1524	2328	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2328 wrote to memory of 1524	2328	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2328 wrote to memory of 1524	2328	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 1524 wrote to memory of 2700	1524	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 2700	1524	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 1524 wrote to memory of 2700	1524	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 2700 wrote to memory of 508	2700	svchost.exe	svchost.exe
PID 2700 wrote to memory of 508	2700	svchost.exe	svchost.exe
PID 2700 wrote to memory of 508	2700	svchost.exe	svchost.exe
PID 2700 wrote to memory of 508	2700	svchost.exe	svchost.exe
PID 2700 wrote to memory of 508	2700	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
661KB

MD5
69715a3737689f3af82dc9fe678daeaa

SHA1
10cec059bb7fc0a6aadf00c7e5c67c642d1115dc

SHA256
5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5

SHA512
752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca

Download Submit
memory/508-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/508-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2328-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2700-21-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads