eba516e043bcb59183b3d3bf48e75c3b7e158f1446b219ca1b63ef31b769b7ff

General

Target

abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe
Size

944KB
MD5

abe5ba6f171ff8f2d5edf40957b52e3d
SHA1

dedec4d9bd3425564a6a3d1dd0055b478ffca86b
SHA256

eba516e043bcb59183b3d3bf48e75c3b7e158f1446b219ca1b63ef31b769b7ff
SHA512

afbc66634b0c376d880746419f16ed27235906d986b44ff6a3a6e1eea884dbe350ae4316e98bb61e0d7ba293e16bc3b95ac5562524c7ebf9dde3f62e4422d7a6
SSDEEP

24576:6SsAZkp5IRBGLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKX7GLMMMHMMF:lsAZ+I2MMHMMMvMMZMMMFOMMHMMMvMMk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3324	FB04ACWFD1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3324 set thread context of 3232	3324	FB04ACWFD1.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5040	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe
4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe
3324	FB04ACWFD1.exe
3324	FB04ACWFD1.exe
3232	svchost.exe
3232	svchost.exe
3324	FB04ACWFD1.exe
3324	FB04ACWFD1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	taskkill.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3324	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	85
PID 4716 wrote to memory of 3324	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	85
PID 4716 wrote to memory of 3324	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	85
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 3324 wrote to memory of 3232	3324	FB04ACWFD1.exe	86
PID 4716 wrote to memory of 2748	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	87
PID 4716 wrote to memory of 2748	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	87
PID 4716 wrote to memory of 2748	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	87
PID 4716 wrote to memory of 3508	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	89
PID 4716 wrote to memory of 3508	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	89
PID 4716 wrote to memory of 3508	4716	abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe	89
PID 3508 wrote to memory of 5040	3508	cmd.exe	91
PID 3508 wrote to memory of 5040	3508	cmd.exe	91
PID 3508 wrote to memory of 5040	3508	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4716
- C:\ProgramData\{9W0MD2JF-W4I1-N79K-PM734H4E9J4E}\FB04ACWFD1.exe
  "C:\ProgramData\{9W0MD2JF-W4I1-N79K-PM734H4E9J4E}\FB04ACWFD1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3232
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 45 /TN "A6VIIHM8KYHUVD0TVY" /TR "C:\ProgramData\{TP4VKTPT-FIAD-4EEH-MI40UBI31SCP}\5GEZN5SD.vbs" /F
  2⤵
  - Creates scheduled task(s)
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe /f & erase C:\Users\Admin\AppData\Local\Temp\abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im abe5ba6f171ff8f2d5edf40957b52e3d_JaffaCakes118.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{9W0MD2JF-W4I1-N79K-PM734H4E9J4E}\FB04ACWFD1.exe

Filesize
944KB

MD5
abe5ba6f171ff8f2d5edf40957b52e3d

SHA1
dedec4d9bd3425564a6a3d1dd0055b478ffca86b

SHA256
eba516e043bcb59183b3d3bf48e75c3b7e158f1446b219ca1b63ef31b769b7ff

SHA512
afbc66634b0c376d880746419f16ed27235906d986b44ff6a3a6e1eea884dbe350ae4316e98bb61e0d7ba293e16bc3b95ac5562524c7ebf9dde3f62e4422d7a6

Download Submit
memory/3232-12-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3232-13-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3232-14-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3232-15-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads