84924cc8e6a943ea4a7769379ad67178b4878809fc28a5552682ac6eea0e6c7d

General

Target

01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
Size

188KB
MD5

01c9a70fb7e17f9d215f2346ac4055b5
SHA1

e975065193cdcb04cabd256dfbe631a033d772ac
SHA256

84924cc8e6a943ea4a7769379ad67178b4878809fc28a5552682ac6eea0e6c7d
SHA512

b4bc41789fcab4f88bfae56df8a4f49942c9ad867d53449e147f26fee4cdbd2f38b0d2b9d13280532a411c19d1d091763bfad809a0a925e5bee6db5d7919e498
SSDEEP

3072:U9m0jofzTJK5fICGdNEi1w7Z/WpEy5kym65jVA13usrF2y31uXzFaC:cmTTJsyNEhA5cMARusrAsuXzoC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1420	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1337 = "C:\\Windows\\system\\svhost.exe"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\1337logs\ofiara.0.htm	svhost.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1337.ini	svhost.exe
File created	C:\Windows\1337.ini	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\bez tytu³u2.JPG	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\svhost.sd	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\svhost.sd7	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\wuaclt.sd	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\svhost.exe	xcopy.exe
File created	C:\Windows\system\wuaclt.sd7	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File opened for modification	C:\Windows\system	xcopy.exe
File opened for modification	C:\Windows\system\svhost.exe	xcopy.exe
File created	C:\Windows\system\wuaclt.exe	xcopy.exe
File opened for modification	C:\Windows\system\wuaclt.exe	xcopy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 780	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	90
PID 2876 wrote to memory of 780	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	90
PID 2876 wrote to memory of 780	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	90
PID 780 wrote to memory of 1740	780	cmd.exe	92
PID 780 wrote to memory of 1740	780	cmd.exe	92
PID 780 wrote to memory of 1740	780	cmd.exe	92
PID 2876 wrote to memory of 3188	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	93
PID 2876 wrote to memory of 3188	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	93
PID 2876 wrote to memory of 3188	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	93
PID 3188 wrote to memory of 3980	3188	cmd.exe	95
PID 3188 wrote to memory of 3980	3188	cmd.exe	95
PID 3188 wrote to memory of 3980	3188	cmd.exe	95
PID 2876 wrote to memory of 572	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	96
PID 2876 wrote to memory of 572	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	96
PID 2876 wrote to memory of 572	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	96
PID 2876 wrote to memory of 1420	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	99
PID 2876 wrote to memory of 1420	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	99
PID 2876 wrote to memory of 1420	2876	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD HKLM\software\microsoft\windows\currentversion\run /v 1337 /d %windir%\system\svhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\software\microsoft\windows\currentversion\run /v 1337 /d C:\Windows\system\svhost.exe
    3⤵
    - Adds Run key to start application
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C xcopy "%windir%\system\*.sd7" "%windir%\system\*.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Windows\system\*.sd7" "C:\Windows\system\*.exe"
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy "%userprofile%\gadu-gadu\ja\config.dat" "%windir%\system32\1337logs\config.dat"
  2⤵
  PID:572
- C:\Windows\system\svhost.exe
  "C:\Windows\system\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1337.ini

Filesize
118B

MD5
30efdbf73989806b5c748b1c22c53cb1

SHA1
5821cc1e89a9fda438c41b87712b188405367e06

SHA256
25d109f34670c4a50311a913ed5ff005df87d8bb02ae8fe2b32fb6ff31339f29

SHA512
97bcc62ca4dccb5a35791601d0d4245d8d4b7ce63068481248025422e2fed49ddfe4665bca15ff1c1a753a60921c8da4e701045055a2cc57a2da53ff25810b41

Download Submit
C:\Windows\system\svhost.sd7

Filesize
32KB

MD5
7c3d8955631512e938b8a2e0a3b82ade

SHA1
d3b5c3d06088654e40796f461f7fead9eccf6147

SHA256
4fdede0161ac67f8d0c9f01963e0eae52c6669ba06262ee30aca9d49c1a88103

SHA512
a60d05ac1ea306158780eb291c657aa957b89db6dcfa24753e2160ecd71a36f2a17349a2185c3dab5d200d7fc9a5523d9466bc87d59ec032f315b1990c71d597

Download Submit
C:\Windows\system\wuaclt.sd7

Filesize
24KB

MD5
d283a06cd1bc40dbafc221cdfc323907

SHA1
4bd647cb10781699628ce2045367bce80db1243e

SHA256
63c25587320cf0a6772f862d974a969b587a6e4f517a527c6ab5336042233445

SHA512
d91dd62d7ae378a7fbf15aceff2917c91fdb54a9cc770aebfa6f327cabd507c18b6f6715b07620b96d571172df26d2947307938c3bd4fc5a83353bc499cbbdb9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads