57f7a68ccc15e0fe9413d8b4d54dd269e5109515dd2b40c35396cdcf5b4fb24f

General

Target

06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe
Size

5.1MB
MD5

06d925c66c5a16ca222e4502adda12c7
SHA1

f0b159edff4a514a7a5d5129fb32473f583cf44e
SHA256

57f7a68ccc15e0fe9413d8b4d54dd269e5109515dd2b40c35396cdcf5b4fb24f
SHA512

517849dbdbc45d1c296a6773c40cdab7d65e873f31c8b338e92551d98f3687ebae8bbb59aa38cadcc5aacfffe6147cd78f28ffb88a3ebe3dfa8ae49375f427bc
SSDEEP

98304:QeMEggrI/LUUDkOVi6emXuq4mpFCfOAV+F/edsbYzMdUW4CSY+TDKau23fJy3HQ+:INg0wzV4u1m3XAV+F/8sUiUW4JTDKahy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4960	7za.exe
1792	Setup.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023457-50.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1792	Setup.exe
1792	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 5116	1472	06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe	85
PID 1472 wrote to memory of 5116	1472	06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe	85
PID 1472 wrote to memory of 5116	1472	06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe	85
PID 5116 wrote to memory of 1260	5116	WScript.exe	87
PID 5116 wrote to memory of 1260	5116	WScript.exe	87
PID 5116 wrote to memory of 1260	5116	WScript.exe	87
PID 1260 wrote to memory of 4960	1260	cmd.exe	89
PID 1260 wrote to memory of 4960	1260	cmd.exe	89
PID 1260 wrote to memory of 4960	1260	cmd.exe	89
PID 1260 wrote to memory of 1792	1260	cmd.exe	92
PID 1260 wrote to memory of 1792	1260	cmd.exe	92
PID 1260 wrote to memory of 1792	1260	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06d925c66c5a16ca222e4502adda12c7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\Pack.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
80B

MD5
2ce6eef84b7f306858c23000f017e2a0

SHA1
1767837936825158d0a5faf707d130fcb3fe52b2

SHA256
6d7b5f31415ea7796876bee5350704fe556201800fdcb143ebfcd4bd450e9d4a

SHA512
47d989c8e394b0486841c056ab749a30351556773abe9e6d5f7c56db9d74a2cd9dc60c6d95ec75b6e4dde1887ac46aa044d346c5839d434d5174ba9a0cd50304

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pack.7z

Filesize
4.7MB

MD5
94897c5de469f5c6135d66644f102095

SHA1
ec26d24b6ebb82b25fad81219e386dbf3d870f38

SHA256
f9299a6dc752c6e4e7e83c79cbac1cfe39a4ab491008e3e9e217224c98de43fd

SHA512
ca8b31aca93224a071ed78a6b7b57463223c0fc055328614ea3de0f1e8f5575f2387a59cfbc5bc11641f61c19dd2d86baa54e3ee2f3e85529f9135a5f121627c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
796KB

MD5
fac10b54d37cfe8e7201664697bb02ed

SHA1
1a34c6ef595b857fabd23d36b9522ed5bf71513f

SHA256
7f31ea106c76ad6f4656669cca62eb92b32ee0468e3ac42bbda9c2e9a0b1a35e

SHA512
09101457b17f1eaf1d8305198fe9d69f2e772fe599103af26534e17e98a682a7dc830d9f5a542c6225192cad74a4b28c0631670ebaff03b05bf3ad1c91220d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\bandeaux.jpg

Filesize
32KB

MD5
0ebd7c783e4d9a825c175bd3b7bc476e

SHA1
06560b8af12a321882576cbfa3a029d2a1d9e7c4

SHA256
5084b4a2ab4ad34b8aab44a3b3c1420a4cf2ae481114fb6c7def273925d8761b

SHA512
64e8f4c4891470998e84700758da3b4a16bf068a4495c2f07fb44ee2e682e6641567785e02b787d34e39c71f2c8a96fe4d0eb7ab878aca4242f72ff80eeaba01

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
383B

MD5
e099e9abc2f4e9a3682dd2fea8b0d228

SHA1
3a075f514bb2a2807a5f966081a01fdd5cced4ec

SHA256
d3b2062785f3457c1c62f92b39b1699f5752fa0d96508561beddd4974e7af3f8

SHA512
bf31e48a6839a5255ce0f923b877800d34cac9c51fcae90dcb3f51b519383716296646d61b8faf73f4713b5b88aa483ddcd74067579649514a7495e7d515081f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eula.html

Filesize
17KB

MD5
ed16b03674655fc4d3fa431406ac9901

SHA1
15f995504fa56b3cc2413325cc43c2f3b2d8b843

SHA256
cd9dceabf43d32edbbdf5f4bef952020a2eea737d5beb7bf16b677078d34e2c9

SHA512
f8a000391751c29435370fc69d1f22f7b0f61da2944eacbb3e86956e81e21aa071020b85eb4fc247603add440848e751433ebc419457aa19532627948c91099d

Download Submit

Analysis

Sharing