4febbac0ce67c54fea3cf09f5ff2db8ff62d0019aa6e7bb27e63267c8642a697

General

Target

86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe
Size

967KB
MD5

86b8b1e78425ed0a8b6daee15ae8a0fd
SHA1

c523932f71e2b952056096002ac25ad8c588675b
SHA256

4febbac0ce67c54fea3cf09f5ff2db8ff62d0019aa6e7bb27e63267c8642a697
SHA512

466ecb03a7c10f1913c33174e3f25c5cee3b002fcabf6b1ebb7c03f608d5298aafc40f276c0cf4e12d55592c700d014e17c0747ef28a00382807be58dc0394ed
SSDEEP

24576:/tXCT35bEN60Yc/rMegvH6RK1aeGokgwHi:/KBtV6MjvH6RIrDCi

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2084	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe
1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe
1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe
1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1172	4904	86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe	83
PID 4904 wrote to memory of 1172	4904	86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe	83
PID 4904 wrote to memory of 1172	4904	86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe	83
PID 1172 wrote to memory of 1976	1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe	97
PID 1172 wrote to memory of 1976	1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe	97
PID 1172 wrote to memory of 1976	1172	internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe	97
PID 1976 wrote to memory of 2084	1976	cmd.exe	99
PID 1976 wrote to memory of 2084	1976	cmd.exe	99
PID 1976 wrote to memory of 2084	1976	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsg56DC.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsg56DC.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25374.bat" "C:\Users\Admin\AppData\Local\Temp\8CBECDB0A2FC4B9D998072AD1FA079CD\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25374.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CBECDB0A2FC4B9D998072AD1FA079CD\8CBECDB0A2FC4B9D998072AD1FA079CD_LogFile.txt

Filesize
10KB

MD5
80ba41cb8be3fb24fa5c44eb8d9c2dc0

SHA1
96cb5fca82c6e86c647b62259693e17585c8e127

SHA256
7851c2a33c4d61a6ba765570489fb0b91aa60286d6b31caec7a47fbe990a3a0b

SHA512
281cf9b5993bb3d146cdbf7072304de559bd4ed023a2fdf069e0e7de1525fde64e9191ce1eca85f572093d22a9089f382f20b159118ace9f212c7372ce3fbb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CBECDB0A2FC4B9D998072AD1FA079CD\8CBECD~1.TXT

Filesize
111KB

MD5
fed9a0b3200ccb28061d0d53aeab6946

SHA1
1c2e6671096cd5b3e5e2e76a983b133c120822ec

SHA256
a529180f2b285263da7b25d06a1d3fd87c36d729029bfe1ce99fe9c8f9b2bc73

SHA512
f42bc05b43f5ba0c0ef87ef6a3fc131749ebef38dd33bffa68ec8b788ce1e7cd39044ce7cf68c5a0892213bd3f6bdb7b7bada074c021134384af936a28947fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118.exe

Filesize
1.8MB

MD5
77bfacca17ee1d89833b57f3a746d9a0

SHA1
aa9490c913489c5eafd02f67f875efcb56d23036

SHA256
38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

SHA512
21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118_icon.ico

Filesize
11KB

MD5
592abe695d3fb84c8a7589b0d2553a97

SHA1
d70d6de6fa25ca1924bd02b84075ee94f3870133

SHA256
ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

SHA512
a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\internal86b8b1e78425ed0a8b6daee15ae8a0fd_JaffaCakes118_splash.png

Filesize
136KB

MD5
0a8589de904eec91522c276d896216c4

SHA1
58ba5e9158c3afa3c3112fe1e24567996794c07e

SHA256
496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

SHA512
bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

Download Submit
memory/4904-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4904-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing