a95a45de6e7e40cb31e5dc7218085d919833e18ba59ed4e198981d2cfe9758dd

General

Target

76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe
Size

616KB
MD5

76b26957b091fd72980a06cb3ba3478c
SHA1

83a89e04483d454bd23230f1af4fbb6ccd460916
SHA256

a95a45de6e7e40cb31e5dc7218085d919833e18ba59ed4e198981d2cfe9758dd
SHA512

c7cd02618648a985b9dda70eed17be83b5f1899ebae22942fd409f43b50d6c378187d2cba970c1432b7d37493d499e0be82d0ccebca1e3d477a451910dd4b6e0
SSDEEP

12288:jh1Lk70TnvjcdxAhBmLUtBrV4m0sL4zWIasc0VOEx0axQL:/k70TrcDA7mLUnu5asv+aC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4280	understand.exe

Loads dropped DLL 1 IoCs

pid	Process
4280	understand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000000026-42.dat	nsis_installer_1
behavioral2/files/0x0009000000000026-42.dat	nsis_installer_2

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE
4676	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4280	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	100
PID 1804 wrote to memory of 4280	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	100
PID 1804 wrote to memory of 4280	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	100
PID 1804 wrote to memory of 2028	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	101
PID 1804 wrote to memory of 2028	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	101
PID 1804 wrote to memory of 2028	1804	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	101
PID 2028 wrote to memory of 2336	2028	cmd.exe	103
PID 2028 wrote to memory of 2336	2028	cmd.exe	103
PID 2028 wrote to memory of 2336	2028	cmd.exe	103
PID 2028 wrote to memory of 4676	2028	cmd.exe	104
PID 2028 wrote to memory of 4676	2028	cmd.exe	104
PID 2028 wrote to memory of 4676	2028	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\understand.exe
  "C:\Users\Admin\AppData\Local\Temp\understand.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:2336
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv3655.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\understand.exe

Filesize
346KB

MD5
df88a0d3a6622033b25a90612dbbc211

SHA1
6eea347eb5d5686ca26af3cb2be40c626b53a2d4

SHA256
b4428f6130fdf4e5ef214bfae6c8a52010ab55f66b0c444b253cb6cf65a8d80c

SHA512
949f2aa8618e141b9baed0fa49fdc2454ab086f4f62d36af3760053f1f35b72f99bef69e0b49447d7074c4ea82ee85b03e3c0057dbbdd9ceb2018cb97a65d899

Download Submit
memory/1804-9-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-1-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-4-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-5-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/1804-6-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/1804-7-0x0000000004DC0000-0x0000000004E3C000-memory.dmp

Filesize
496KB

Download
memory/1804-26-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-11-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-25-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-23-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-21-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-17-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-15-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-13-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/1804-3-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-8-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-27-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-28-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-29-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-30-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-31-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-32-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-33-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-34-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-35-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-36-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-37-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1804-2-0x0000000002880000-0x00000000028FC000-memory.dmp

Filesize
496KB

Download
memory/1804-19-0x0000000004DC0000-0x0000000004E35000-memory.dmp

Filesize
468KB

Download
memory/1804-58-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4280-57-0x0000000009870000-0x0000000009891000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing