370ee1c2bcb7f0b6af3a486a826a8637a65f0ebc31897e46fa88cc05122b4df2

General

Target

0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe
Size

579KB
MD5

0703d5b8e6b75e144b15489af2308783
SHA1

4aaa0bdb6670ec31a44c5bcce6be632c217fbda4
SHA256

370ee1c2bcb7f0b6af3a486a826a8637a65f0ebc31897e46fa88cc05122b4df2
SHA512

9436b10f7caa4f00387407a479d26710d85d0cd2381b2ef356b7bbaccdfcfbd752c6a0ce5ad079cf2ff1de69d26fc1848324d5d9db23ca733a886b6aa2e5c5f8
SSDEEP

12288:YOb3lmhLR6QXTFTwWHy0o4M85C8vFFpTiDxRUl39dt2+:YIk7qWX9F0DQl39rx

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Stp2A8A_TMP.EXE

Executes dropped EXE 1 IoCs

pid	Process
2040	Stp2A8A_TMP.EXE

Loads dropped DLL 16 IoCs

pid	Process
2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE
2040	Stp2A8A_TMP.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	Stp2A8A_TMP.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2040	2168	0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0703d5b8e6b75e144b15489af2308783_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\Stp2A8A_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\Stp2A8A_TMP.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLF37E9.tmp.xml

Filesize
1KB

MD5
761954b71322f57abb28af5c308a0879

SHA1
24da173a6fc33e11189d24d75f2a7053c90b896f

SHA256
87b0f9d9035e91ab3b378c315f73012603f288adae23caa26c6e7430dd0e06e5

SHA512
9ff791a919732d4b95ce9f56a3166859731a3f80c69a5f3e7dce5c51ad07793045b711f5f0f104beca48daabd251fe1f04cdab5da5c51fd20399a79186d276c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GLBS383.TMP

Filesize
21KB

MD5
4f1dd23026c173d48a5daf314a0f0779

SHA1
eeb20b44c41e2f7ae29aeb541206b743c21e25bf

SHA256
dbf3c46201c94fad8ad86351d3a56b291e95c336305320b8139be6619a38f89e

SHA512
afd778e02257f24e27075449784da383c79656e94e9be663c45fd73887753b21a192ac78c1011173a1001afefd93b447b74a6d4b0b095b9b9c9bf1d35dda84ed

Download Submit
\Users\Admin\AppData\Local\Temp\GLC2C10.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
\Users\Admin\AppData\Local\Temp\GLF37EA.tmp.dll

Filesize
168KB

MD5
090304e548416a63a0806d29ec10f738

SHA1
04d4b581408893879bc5527ab2e04c8b11cbb7d9

SHA256
1412712b698c679560249a771dc6cfda94bb33fb5b7614667396b59c924a9cfb

SHA512
7596839c3778b767c240a58d7e4fcc9cb2496a375af44d97366354b5c056e1ddeb514e3a652b9fbfa7e5f94c90d52fd7e986ee9be0b1a6ac9c0a2d633d1c6870

Download Submit
\Users\Admin\AppData\Local\Temp\GLK2C4F.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
\Users\Admin\AppData\Local\Temp\Stp2A8A_TMP.EXE

Filesize
7.8MB

MD5
4e73790f10a9f9b026f758ca644d083b

SHA1
7070eb9360bef08548a0492cda35f17da4a30454

SHA256
c78c7d0ebd021121177df68a5fbc58832012a1f97c2175381ae91dfd9a06eedb

SHA512
5047dc584c534ed24903eaf509405065fa6a996adc0316f80f9b1b69ef5fef7fca09b7feaf1db99538402a7bbc5603960ba271b59b89b0b6586505eb990cbfea

Download Submit
memory/2040-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-9-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2040-8-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2040-28-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download
memory/2168-2-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing