4c181c0b9b17fa72e3d58cbd5193bd9dc147bae4a5708e30bcee0456d5bf2321

General

Target

8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Size

480KB
MD5

8f21322118b88bcd8821b01cacd1eb28
SHA1

483bcd59b517887e38b9bed48fa4a04bde064363
SHA256

4c181c0b9b17fa72e3d58cbd5193bd9dc147bae4a5708e30bcee0456d5bf2321
SHA512

8f73be007a839baca15056db150119f7ae985aa74df81007ac1043cfcbc76e133b355ae51d321c701a11d57fc4502ffbb8f4816b39f0a69aec4a9af0b941f8d8
SSDEEP

6144:wlqL9zmKfFvKhLIF81q6cwdc9FHPQRsGjrNprvL7fnJKqmf3YcI8lWelSbr2oY:kknohMPQRs8BprvPfJKqmPYcI8a21

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A498709-E00B-4C45-A018-8F9E4081AE40}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81EA0A17-AA39-455B-BA20-EA79A8F98966}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1E2B86B-924A-4D43-80F6-8A820DF7190F}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A498709-E00B-4C45-A018-8F9E4081AE40}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C472071-36A7-4709-88CC-859513E583A9}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81EA0A17-AA39-455B-BA20-EA79A8F98966}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B115690A-EA02-48D5-A231-E3578D2FDF80}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C472071-36A7-4709-88CC-859513E583A9}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA445657-9379-11D6-B41A-00065B83EE53}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA445657-9379-11D6-B41A-00065B83EE53}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4552	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	82
PID 640 wrote to memory of 4552	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	82
PID 640 wrote to memory of 2488	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	83
PID 640 wrote to memory of 2488	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	83
PID 640 wrote to memory of 2488	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	83
PID 640 wrote to memory of 636	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	84
PID 640 wrote to memory of 636	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	84
PID 640 wrote to memory of 636	640	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\sogoutsf.ime
  2⤵
  PID:4552
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\sogoutsf.ime
  2⤵
  PID:2488
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\IME\SogouPY\SogouImeBrokerPS.dll
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads