1b923290bb58215d101034098a83688571f8ead6dc97c3a28ffd3a477b7e007e

General

Target

8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe
Size

994KB
MD5

8d7c820a080a73a606182111a168cee7
SHA1

c285641f9497e685bdab31dac73d1f8df312a033
SHA256

1b923290bb58215d101034098a83688571f8ead6dc97c3a28ffd3a477b7e007e
SHA512

5eaf0da312e652c6781b03ab9c20bbd6aed7799a0f69e513bdb3038ce915be3d629e03a33740dab4db00b4a31a23d26879ff4dc0f0bf2130f0f489eb095a9baf
SSDEEP

24576:ot8GQaiLBkEiD7Ws6jzAifn8UxLUB4BA79KfRY6tBs6Pg:oEaiyE8g4e8UxLC4Bx5

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4524	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe
2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe
2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe
2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2212	2060	8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe	94
PID 2060 wrote to memory of 2212	2060	8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe	94
PID 2060 wrote to memory of 2212	2060	8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe	94
PID 2212 wrote to memory of 2704	2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe	110
PID 2212 wrote to memory of 2704	2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe	110
PID 2212 wrote to memory of 2704	2212	internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe	110
PID 2704 wrote to memory of 4524	2704	cmd.exe	112
PID 2704 wrote to memory of 4524	2704	cmd.exe	112
PID 2704 wrote to memory of 4524	2704	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\nszD0CF.tmp\internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nszD0CF.tmp\internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nszD0CF.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3956.bat" "C:\Users\Admin\AppData\Local\Temp\7275CECC63CC4FFFBEB8A472F2A9857C\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\$I4R1Z22

Filesize
98B

MD5
17d0b561a009f67b790ca9bd9dbf29d2

SHA1
f13acd19b89f82f0a2e9ff7a4bc544ed89d70894

SHA256
e474d5838487d98f6f517282710306adaffcac27bbaf2032437b417f718fc572

SHA512
b83827788c895f9a2ad884b84965a3f75f9e62ebd0be79dbc0c40763acada396c601c649c4409475f073d856c4382fee018f76023cf6211c33933265b44491d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3956.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7275CECC63CC4FFFBEB8A472F2A9857C\7275CECC63CC4FFFBEB8A472F2A9857C_LogFile.txt

Filesize
10KB

MD5
ef560d045298d2c7e7a948017905f49b

SHA1
e927d4cb043648777921e286435adda95ca2188b

SHA256
a1b20545266111e3ff2ededc779d1e6f151ffb4c87adc58d17633671f1da5dbe

SHA512
c50a0583a1cec5d44de0f4af525f3fc03bf247910a59780f410a3bb84a84d8d7f040a6533a4c8fd1401bb4d039f7c0fbfdc253abc206a75ee3059225e95d031b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7275CECC63CC4FFFBEB8A472F2A9857C\7275CE~1.TXT

Filesize
107KB

MD5
9399cb32bd255bca4d375d4c02f31d48

SHA1
1cf75328f7abe3b5aa0e77e54ef4ea61a8b3c73b

SHA256
f1e692c410f6512be6c54cd64eee6a1beaa26b28f4a1dfc54f155634dea16c99

SHA512
57a4f2751990172d764a303fa1b1fe8a360191ee898c4799b43209756411977a490ce14bd3b0b4c5973f8ca0f66d9c1b2725e13a176a4d1112c4688c64b65cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD0CF.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD0CF.tmp\internal8d7c820a080a73a606182111a168cee7_JaffaCakes118.exe

Filesize
1.8MB

MD5
fe600adb174ab1ed6a109fcae58e105d

SHA1
a58dc54ecedf83b52269874eab3083b40c521804

SHA256
91196fce09d8a45e64fe24c7c43615fe8e345f618c675f8dc1e608adc4977724

SHA512
3255a335a8147eb67269fe0d876a76b0ba0e1de3261ea8d2723100234a14a899d4992bdb82cd4980a86a951aeaed24f23babeebae6997eba0b4c7dfcb41728e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD0CF.tmp\internal8d7c820a080a73a606182111a168cee7_JaffaCakes118_icon.ico

Filesize
3KB

MD5
0ad9f1c79fccace7c4d8d0eede397ba0

SHA1
ff966c7ba3b87deee1f16b6fa452267d0c537e31

SHA256
2e6a3a17b1770211a8df373e5eec6d0227165882349f1416e359a4a0899a9cc7

SHA512
fc97f379a7c162fcecb1095f69ad9b448ad7d7dfa2a63ead68d80a44f318cad3427f8a05449945919fbdd17347aecfb0b5d0217df8e3485a1da5d66be89da8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD0CF.tmp\internal8d7c820a080a73a606182111a168cee7_JaffaCakes118_splash.png

Filesize
228KB

MD5
010e8d171ac43fb2248dd2db951af6f8

SHA1
d2b36aa2c4d6cb4237e72af62f40f62fd16cf045

SHA256
efe7e6e8da4b9094372b0de81f362fe0cc74257ee403c9156b9c1d3a81e98e6a

SHA512
fb9fa070c198c7ea57b78d94e6c7a4c045869985fb1976efcad473701ed86fa3971055537093ef60917119207640d15e81baaa2d5e46b21ff4b32bf3496d96de

Download Submit
memory/2060-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2060-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2212-76-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/2212-214-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing