a15cdaf2f2ebd348a0331142e59985301ac7feb195b37443cb71cfab1e91daa6

General

Target

7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
Size

1.6MB
MD5

7518d6db8ef1321b5572bc71f824ec27
SHA1

15c64f0443f98144bb181e95040eb2ed4a764767
SHA256

a15cdaf2f2ebd348a0331142e59985301ac7feb195b37443cb71cfab1e91daa6
SHA512

828d6445ad01ff3881293368888d5ae21a7f9899793d9a332ee622e6b7be4f83f57d1bf8459d90ac8872121752c258a9a7a86d81fd857ec21f94a24063c16de7
SSDEEP

49152:2Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9b:2GIjR1Oh0T/

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2176	824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	98
PID 824 wrote to memory of 2176	824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	98
PID 824 wrote to memory of 2176	824	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	98
PID 2176 wrote to memory of 2528	2176	cmd.exe	100
PID 2176 wrote to memory of 2528	2176	cmd.exe	100
PID 2176 wrote to memory of 2528	2176	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\14842.bat" "C:\Users\Admin\AppData\Local\Temp\9352897921AE4BC785E2830BC345BFCB\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14842.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\9352897921AE4BC785E2830BC345BFCB\9352897921AE4BC785E2830BC345BFCB_LogFile.txt

Filesize
2KB

MD5
7e789d5ab1bf47744b603de7c8e7c6f1

SHA1
ca5f65b91b4162e02f397ed8466b7f5fa62045fe

SHA256
ade69f73484d9fa624d48e2a6d3900a5710bff13a867e398fd97d670f9ce3ef8

SHA512
28e83e2e54363a8adcbea59686677d51acf01f8a6a1cf60c9e215746b94e1f75ae1830dae8a3281da51138e4ed5d31d6be28b46ba854b974db8f02544deb8b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\9352897921AE4BC785E2830BC345BFCB\9352897921AE4BC785E2830BC345BFCB_LogFile.txt

Filesize
9KB

MD5
831d1041ea381c4a999c0f908f38b902

SHA1
ed4a29a690c95ff98daeb0d0829662e4e1a1bedd

SHA256
404ee85504aea0d3caf76a260b9341e4c96d05961313d5c810a718b9ccd87c32

SHA512
56e89061b2a257fdd31c304442f551f1db91283f9956d4573954c78712f4ee21e91c569d45a5ad393c42e7022d9a44f9259c7a909e19dda23688b28727e315af

Download Submit
C:\Users\Admin\AppData\Local\Temp\9352897921AE4BC785E2830BC345BFCB\9352897921AE4BC785E2830BC345BFCB_LogFile.txt

Filesize
1KB

MD5
ba9cd86cf9521c841ebd2fe56d185de0

SHA1
e81a3c1f4216e44c83dc6bbb52a0102632559e18

SHA256
14ed2605ecd02c72b575e22d102874825c84daeabd3e688a0a879ae51eb68fff

SHA512
b5daa87c2fdff8d6fdf8c70251e65acdee00f213508dcd7580ad091fefd3da48c5bd3722e3b04f47157549b00f36d7f8b3d022bf276408c4ed517dc4b5ed330d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9352897921AE4BC785E2830BC345BFCB\935289~1.TXT

Filesize
105KB

MD5
0cff8d8ee7cc2e4d833b31e165445573

SHA1
121a2d90e6deed7520ae4086aa55d4ce317c689f

SHA256
2f09ada2b8905ccce4510dd5f865abf0737924ed099881051856795237622888

SHA512
7e658636c9d3132863276efe76ba5d7b8b250e25b2a6b0e439614f48c6c75d57d1e1859b5daa9bf7505339827a23129a4b5057dbab99db80977fd21319e2c2bb

Download Submit
memory/824-63-0x00000000039D0000-0x00000000039D1000-memory.dmp

Filesize
4KB

Download
memory/824-184-0x00000000039D0000-0x00000000039D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing