d14fd76152e1820d8ae5997396113d99c5545e08909565a0a166d9bddd7201f0

General

Target

7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe
Size

1.6MB
MD5

7bc9138ce6db28600d3edc6f5aea3141
SHA1

e6320a6d01c471b45e90ed8d271dd01e6a4552af
SHA256

d14fd76152e1820d8ae5997396113d99c5545e08909565a0a166d9bddd7201f0
SHA512

bc6f5877a51e1c4d8f0435dd120a6596611135b6446a7f9317077bfd7309492a09254aea26ef8dd24fe83f191ee87d23dc6841db31f6329f5535710ef799637c
SSDEEP

49152:ZZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9u:ZGIjR1Oh0Ty

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
440	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe
3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe
3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe
3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3952	3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe	100
PID 3812 wrote to memory of 3952	3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe	100
PID 3812 wrote to memory of 3952	3812	7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe	100
PID 3952 wrote to memory of 440	3952	cmd.exe	102
PID 3952 wrote to memory of 440	3952	cmd.exe	102
PID 3952 wrote to memory of 440	3952	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bc9138ce6db28600d3edc6f5aea3141_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28916.bat" "C:\Users\Admin\AppData\Local\Temp\EE85F07493604CBC8BB5E231C0A08FE6\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28916.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE85F07493604CBC8BB5E231C0A08FE6\EE85F07493604CBC8BB5E231C0A08FE6_LogFile.txt

Filesize
2KB

MD5
0afa70972530b2b56194cf4d7048dd09

SHA1
37609c6b551634eaaa06865ccb86e7886708205b

SHA256
423e42f43dda0d6579580889fc5f9166c0611c5cf0858365fea9bd710c6bdbd5

SHA512
3f8a7ce322525ba172692f45d950425595b980c6a5bfba5fa9d3826b86ace94e1f5e82940269870029bf182e60104880be77b863b9fb8f57a119a214bd866249

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE85F07493604CBC8BB5E231C0A08FE6\EE85F07493604CBC8BB5E231C0A08FE6_LogFile.txt

Filesize
9KB

MD5
449d3d43197ab68de39dec6d26d9ff13

SHA1
52a4e9f25a19fac12f1916c726ed334d72119a35

SHA256
803eb4c3a1b51a9da7adb9f2ba8573e2b8cfbeef201c6265ef47179e22a1c225

SHA512
54664525a1a5c1cbc934279d86d0906e7b91fa9f5300342231328d97c485b5ba97859f41d318c057c4531ef06466f7334f8784f9635bb5e590b9b1b6228f2962

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE85F07493604CBC8BB5E231C0A08FE6\EE85F07493604CBC8BB5E231C0A08FE6_LogFile.txt

Filesize
678B

MD5
1e8fb4b6420235efbf1a97d167cbbce5

SHA1
8d0491983292eedd6c1b804a9bfea2804429bb11

SHA256
59eca19f9044f451221f12735072762b2893254c648d10444d8f5b4e43ed74b8

SHA512
f7283d22eaa4e423bdf2b433838de613888ed1cfd86b838ca86d0ef48234678680c265c13c59ce9dc345cb93e4b0d34cdb1ab59a491f741ba849c5538e373a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE85F07493604CBC8BB5E231C0A08FE6\EE85F0~1.TXT

Filesize
105KB

MD5
962e79c3103d8eee2e4498f9bfe0a532

SHA1
b8b139acb2c63625d2f233ee9eb679681e21b21c

SHA256
5f58dd3de6246997ecc693cf86439209c56a4a8c9c2be91786e4b2a0ad11f711

SHA512
055f578f09e385bee02c7c54bf939bd4e3976146871edede13b90819393469c3f097e3143c7c2533bbcdbd98d6b928bb92d0582f2bb0a74e7fdf57372485f4d3

Download Submit
memory/3812-63-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/3812-182-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing