2abb244c3ec7b9686d944c5a3493f339c4565f944972a13f8c5e40a17f896a58

General

Target

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
Size

676KB
MD5

7bc4368793b130067be12f0e726b4ec1
SHA1

94c5ebe0bf5874f2ba0432f9149689e233341996
SHA256

2abb244c3ec7b9686d944c5a3493f339c4565f944972a13f8c5e40a17f896a58
SHA512

9f0c83f6b2625b36eecec10aed9aaba272a5a625fc5b6a20133f59197dd2773e9d40917e59bab95a17288500ccbbdfaa6e1b884b0e205f218d44e1c238fed52f
SSDEEP

6144:WDaGcrro77c7rQKvRzS8k1q92TUb/nTNMYxTGtGfLhPuTC9U:WDaG7477w1qITWnTQeP

Score

7^/10

agilenet

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Executes dropped EXE 2 IoCs

Processes:

enrdyw45rsmtujnwh45earnybgqers5jr7.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid process

4052 enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2036 enrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid	process
4052	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2036	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1692-5-0x0000000005300000-0x0000000005330000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid process

1692 7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
4052 enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2036 enrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid	process
1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
4052	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2036	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

description	pid	process
Token: SeDebugPrivilege	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
Token: SeDebugPrivilege	4052	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
Token: SeDebugPrivilege	2036	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeexplorer.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

description	pid	process	target process
PID 1692 wrote to memory of 1972	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 1972	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 1972	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 1172	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 1692 wrote to memory of 1172	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 1692 wrote to memory of 1172	1692	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 1160 wrote to memory of 4052	1160	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 1160 wrote to memory of 4052	1160	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 1160 wrote to memory of 4052	1160	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 4052 wrote to memory of 2036	4052	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 4052 wrote to memory of 2036	4052	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 4052 wrote to memory of 2036	4052	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

C:\Users\Admin\AppData\Local\Temp\7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
  2⤵
  PID:1172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe
  "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe
    "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Filesize
676KB

MD5
7bc4368793b130067be12f0e726b4ec1

SHA1
94c5ebe0bf5874f2ba0432f9149689e233341996

SHA256
2abb244c3ec7b9686d944c5a3493f339c4565f944972a13f8c5e40a17f896a58

SHA512
9f0c83f6b2625b36eecec10aed9aaba272a5a625fc5b6a20133f59197dd2773e9d40917e59bab95a17288500ccbbdfaa6e1b884b0e205f218d44e1c238fed52f

Download Submit
memory/1692-6-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-2-0x0000000005240000-0x0000000005274000-memory.dmp

Filesize
208KB

Download
memory/1692-3-0x0000000007D70000-0x0000000008314000-memory.dmp

Filesize
5.6MB

Download
memory/1692-4-0x0000000007860000-0x00000000078F2000-memory.dmp

Filesize
584KB

Download
memory/1692-5-0x0000000005300000-0x0000000005330000-memory.dmp

Filesize
192KB

Download
memory/1692-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/1692-7-0x0000000004D20000-0x0000000004D26000-memory.dmp

Filesize
24KB

Download
memory/1692-8-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/1692-9-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-13-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-1-0x0000000000890000-0x0000000000942000-memory.dmp

Filesize
712KB

Download
memory/4052-16-0x0000000002CA0000-0x0000000002CD4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads