9b21f21eaa6123a652f06aaffa2a60fb0586473eaefe2fc4ee7ed2d1498592bf

General

Target

840d5b570df16e076f7533669853da34_JaffaCakes118.exe
Size

869KB
MD5

840d5b570df16e076f7533669853da34
SHA1

0736279763b48bdb22caeb00681deda5aa13b742
SHA256

9b21f21eaa6123a652f06aaffa2a60fb0586473eaefe2fc4ee7ed2d1498592bf
SHA512

545afbed2337f083702e5407e2bc37532fd206fd5e0cbf57596a0416073d37d9e11465d9bc0f2cf1a10678311a392753ce880883469abe1c3e7c8780a2c52887
SSDEEP

24576:XtAVdCVjyZWqgJHCagpg8kgLsXIZJnNaruRGg09T:X24Qrgipg8DsIZJN8gGgMT

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
348	840d5b570df16e076f7533669853da34_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4244	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe
444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe
444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe
444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 444	348	840d5b570df16e076f7533669853da34_JaffaCakes118.exe	84
PID 348 wrote to memory of 444	348	840d5b570df16e076f7533669853da34_JaffaCakes118.exe	84
PID 348 wrote to memory of 444	348	840d5b570df16e076f7533669853da34_JaffaCakes118.exe	84
PID 444 wrote to memory of 4276	444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe	97
PID 444 wrote to memory of 4276	444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe	97
PID 444 wrote to memory of 4276	444	internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe	97
PID 4276 wrote to memory of 4244	4276	cmd.exe	99
PID 4276 wrote to memory of 4244	4276	cmd.exe	99
PID 4276 wrote to memory of 4244	4276	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\840d5b570df16e076f7533669853da34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\840d5b570df16e076f7533669853da34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/840d5b570df16e076f7533669853da34_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsm4A98.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\20511.bat" "C:\Users\Admin\AppData\Local\Temp\8F3E9C81CE1A4B5B806E3D2D91D332C2\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$I3FI7OB

Filesize
98B

MD5
66795b82cf93c6514f8181aa414ee90b

SHA1
0658c59e160b9142608870fa2388917e25b8913b

SHA256
afd74f800d57b62c38d9b87cc04bc51ece30e7a913e3094ee611a1edddf734a3

SHA512
0dafc01eb9dde8ce260e794f034e0f8b3cdc206fa9729a8826e5c7bd467ccfc45885f3e7fa2cd3d399816863fd019ebfc2b14b10203ba9175ce7da37fb67fdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20511.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F3E9C81CE1A4B5B806E3D2D91D332C2\8F3E9C81CE1A4B5B806E3D2D91D332C2_LogFile.txt

Filesize
10KB

MD5
9d19a3deee507552065175a6f48a3d64

SHA1
abdf7c7b1e824f4d9c76671a05d20de9f8a1c9fe

SHA256
cb142cab1e8cbbd52c216ef57a5e3f4a284d60177d999e3d07acd83659717f8e

SHA512
e56d11815fe6bb7f9792173e8c994cdfd308bd169a18f354ab8134a3f5f73d2a5cb872e9f92274d34b0ef578319122f4c1779283063d609760d1603d9315eb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F3E9C81CE1A4B5B806E3D2D91D332C2\8F3E9C~1.TXT

Filesize
111KB

MD5
c20feef15f19cbb9a2cb023125baf9da

SHA1
9d9f43853fcf8f09daf9413bb5aea06b033362b9

SHA256
5281ae255a108f5d938c2f29b70a800d26d55fa1a9b11e14690ae4101f3bf198

SHA512
6709d23bf400af7ff65ae41b1c1151b266c79274d3106fe066b117e7ef043454d688224f87e6865bbb1ec44717c6b5aa80f039813b87a5d9db1ad0aa8621e9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal840d5b570df16e076f7533669853da34_JaffaCakes118.exe

Filesize
1.8MB

MD5
c5ea500e55b0180498307ec867679a7e

SHA1
715fd28aa69ac4efc5935cb2407a6f9fd9ac020d

SHA256
da094f5a1fe8a93e729791368bb050ee3b8474773155e79fd08acfc7585d9b92

SHA512
71daf1111e4278ac294c8e1e095944d240be86ebcd385546255bb05f766d998b88634f2f8fadd53f67bd1066f84e850323fc1d35e6bc28be22bd7ed70ac0286c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal840d5b570df16e076f7533669853da34_JaffaCakes118_icon.ico

Filesize
17KB

MD5
0435aad9b66bd2d21746f90c4c347145

SHA1
a30451aa8190c455d1c96072ee212a0321419b65

SHA256
0c10ef2acabf74944b60e692d5cc12c1f1ed039d4519d5e062d90dbe922eb3ac

SHA512
f2a2b77aa9178758c164dc314ce16ab033ca471901655ad8505bff33ae5672675b7c4048b5844141d62b0a9487cb65ef2c834ec551be5d508cbc153e6cfd3a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal840d5b570df16e076f7533669853da34_JaffaCakes118_splash.png

Filesize
91KB

MD5
ff243135c5d88f148da2f62a4dfbc145

SHA1
7039920e5e74ff85e6b3e167bf77c2ba05fd96a4

SHA256
cf8e7ba76f7a71ad168c82ce4393426ad37d23734fea433f0dc65eaa1c00ddba

SHA512
a9105803225bb5c1d60dfe1833e9d320d6f3431eadad998435303d160d17b35fbedd0b9188e3796220a3537a6d30d31482c7ae01bfe4ac19e1b30dfa043c996e

Download Submit
memory/348-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/348-295-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/444-80-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/444-214-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing