f0a30f1090f76567f3c74bb1c5117a8db80f2167df7f7518ba20d74a6d65a836

General

Target

a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe
Size

346KB
MD5

a80d939fa4801d4e23ef08cc30e98c80
SHA1

a447cd81a81d23647c157e87c62d574d3a69c251
SHA256

f0a30f1090f76567f3c74bb1c5117a8db80f2167df7f7518ba20d74a6d65a836
SHA512

d1c430401d126842fe6bc672df262ebe99c60363f3fce689cca9229a0e1638fb4ceee259b0200eef32627f2eb2783eea84b45b6aeea1c741ae7036485bfd39fb
SSDEEP

6144:uz+92mhAMJ/cPl3iKSTJU3Bh6AyvhKFnjsyh4NiOzWB/snPh5IVGZf8HvNneYF3P:uK2mhAMJ/cPl/31yvhohpgwiPjIVAf8L

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cducfuvpb.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cducfuvpb.exe

Executes dropped EXE 2 IoCs

pid	Process
3644	cducfuvpb.exe
1116	Curly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1000	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3644	cducfuvpb.exe
3644	cducfuvpb.exe
2120	cmd.exe
1116	Curly.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3644	4564	a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe	81
PID 4564 wrote to memory of 3644	4564	a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe	81
PID 4564 wrote to memory of 3644	4564	a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe	81
PID 3644 wrote to memory of 2120	3644	cducfuvpb.exe	83
PID 3644 wrote to memory of 2120	3644	cducfuvpb.exe	83
PID 3644 wrote to memory of 2120	3644	cducfuvpb.exe	83
PID 3644 wrote to memory of 1116	3644	cducfuvpb.exe	85
PID 3644 wrote to memory of 1116	3644	cducfuvpb.exe	85
PID 3644 wrote to memory of 1116	3644	cducfuvpb.exe	85
PID 2120 wrote to memory of 4200	2120	cmd.exe	86
PID 2120 wrote to memory of 4200	2120	cmd.exe	86
PID 2120 wrote to memory of 4200	2120	cmd.exe	86
PID 2120 wrote to memory of 1000	2120	cmd.exe	87
PID 2120 wrote to memory of 1000	2120	cmd.exe	87
PID 2120 wrote to memory of 1000	2120	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a80d939fa4801d4e23ef08cc30e98c80_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\cducfuvpb.exe
  "C:\Users\Admin\AppData\Local\Temp\cducfuvpb.exe" gozosjyi.bat++Curly.exe+++++
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c gozosjyi.bat
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\Curly.exe
    "C:\Users\Admin\AppData\Local\Temp\Curly.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Curly.exe

Filesize
555KB

MD5
8c3244a681b016bda5032d10af658f60

SHA1
7eb5c556792d7a44e89b25f18ed9bf3cb4ba798f

SHA256
f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df

SHA512
6bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cducfuvpb.exe

Filesize
20KB

MD5
06d65822627f8b34128eea72ef444b28

SHA1
d977b0a7ea336337b44ab5250360232b42b5787d

SHA256
ff889b58f12b78b8e1419b252ed006d395d9d2e4f5242c1e6fd87973ac860fad

SHA512
e78b73d3c6ba0492b859054d3acdc5ac5ed265192deb6cb8fa4caee8fc498c7259261eaeb40ac98be23faaeacc4df0c763dfcce1701bddc8368a1fed23588401

Download Submit
C:\Users\Admin\AppData\Local\Temp\gozosjyi.bat

Filesize
7KB

MD5
1e24e887afafe94b7210726d1a38b988

SHA1
b375930c4b45e961bb986ff2fbc4a2d8ec106004

SHA256
5ac088deda96280533c2598b9a38695163bdf980fd3a93408b07e3f7c3c71d59

SHA512
8644eb69b245e300d5744c5c0f97d4707bd25cd0b73c8b5b950b681ae4bec4cf8c9da4884795fc35f9daf1c6e25f765450df3e263259f8933a12b03a1bf7b6d5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
628B

MD5
015762a9c8f7c1a0d59fa37592e1e848

SHA1
438ebfb3bba8dd235a66613d19de298608752cc3

SHA256
1b3e19be6ab7f8990ccdd1453ed2cf6dcf00091d5df2b2b2bc7beb1417f37aa9

SHA512
5f53a0cb28b308651b42b506c2faa466e63aa1aec61d58d5c1869a8f5432ccab43e378f9dae0075c2096331ea376c7a31fb12f6a1e285a4a652302912f98e9c0

Download Submit
memory/1116-45-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1116-47-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing