3a131bb4158b46ae6b2894a9a6fc02bb30f3c87bc8e48c125ce5c3c382917b10

General

Target

7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
Size

967KB
MD5

7cd7e1be96600eda549254f46037596f
SHA1

0b029c45767e58eeddc8a2b38bc4e49066ad3b2d
SHA256

3a131bb4158b46ae6b2894a9a6fc02bb30f3c87bc8e48c125ce5c3c382917b10
SHA512

ca7169cd2353721caddc387e4d2ad9698ea42f835dd188605df3b4be9844e6c84fa41bf4a2ec5cad4cd9995e2a61ceea5ad75fc0d32b00fa79bbb53edc1be6bc
SSDEEP

24576:ftXCT35bEN60Yc/rMegvH6RK1aeGokgwHJ:fKBtV6MjvH6RIrDCJ

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4348	388	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	81
PID 388 wrote to memory of 4348	388	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	81
PID 388 wrote to memory of 4348	388	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	81
PID 4348 wrote to memory of 2932	4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	89
PID 4348 wrote to memory of 2932	4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	89
PID 4348 wrote to memory of 2932	4348	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\nsy3606.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsy3606.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsy3606.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsy3606.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3891.bat" "C:\Users\Admin\AppData\Local\Temp\CAE9ECAA46C04FCEA0B437456E7D1F6F\""
    3⤵
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3891.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE9ECAA46C04FCEA0B437456E7D1F6F\CAE9ECAA46C04FCEA0B437456E7D1F6F_LogFile.txt

Filesize
4KB

MD5
9b424c14d67d65f54f28af9fc9fcd5c6

SHA1
b9b39a8206d7ee654c0f3d96af27d9d508e7b7d4

SHA256
2820566b6ee2d5669fe7fa6615136d0df971ed9fcc205d42ed3acbfb26e0c3f3

SHA512
a40d79d621ac23b0ef6c46941430cbd95848f10c3d67b50353ae7020f6e4183cd94b1b3a4a543aa8b10a001bec5679cd82527043a9d7e21cbb79acbd8287f861

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE9ECAA46C04FCEA0B437456E7D1F6F\CAE9EC~1.TXT

Filesize
110KB

MD5
2aaa68419a6cb70d5ad8bda3c2a29e0e

SHA1
30e5a4ed2ad5a90c8fd8e3706e23cc435c3655a1

SHA256
4ac9bd94cb211e0e616504110e2eb2618f04e675100a33284c448e2758de4b25

SHA512
9786f1725bbe78826899c30326ad5b682720529d1f6ea2771d2b817da60e492abafc7a482e7f698a56f03be9aeede8198c0f3d9695c4f660191c80d8539f7b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3606.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Filesize
1.8MB

MD5
77bfacca17ee1d89833b57f3a746d9a0

SHA1
aa9490c913489c5eafd02f67f875efcb56d23036

SHA256
38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

SHA512
21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3606.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118_icon.ico

Filesize
11KB

MD5
592abe695d3fb84c8a7589b0d2553a97

SHA1
d70d6de6fa25ca1924bd02b84075ee94f3870133

SHA256
ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

SHA512
a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3606.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118_splash.png

Filesize
136KB

MD5
0a8589de904eec91522c276d896216c4

SHA1
58ba5e9158c3afa3c3112fe1e24567996794c07e

SHA256
496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

SHA512
bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

Download Submit
memory/388-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/388-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing