27e836a494a3d63fbbc24f75ed4854f07bb3458641ba4062eb6dbf57b99a98eb

General

Target

071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
Size

772KB
MD5

071c23ae75e84b754dcd5b6e22056d28
SHA1

ee3579b279cd3b6f5f555188e70c9fb459b4a958
SHA256

27e836a494a3d63fbbc24f75ed4854f07bb3458641ba4062eb6dbf57b99a98eb
SHA512

0e020fd7440646e5ec5ce738fe54dcf4c15427181b98e18a1e603b4f5099201286fba264d8a3de566661a7f54be50a2b958db9cd5f3d207d1ac0c598679cbf95
SSDEEP

24576:eCxkZmvVi0FRAHgbGQjwZegfrxQU3SjZ6GPrb:eCx7V3FO9tOCSjZ6UX

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	msmh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe	msmh.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe	msmh.exe

Executes dropped EXE 4 IoCs

pid	Process
1616	msmh.exe
488	emailextractor.exe
4988	msmh.exe
1728	INS1B05.tmp

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023252-5.dat	upx
behavioral2/memory/1616-12-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx
behavioral2/memory/4988-19-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx
behavioral2/memory/1616-20-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx
behavioral2/memory/4988-26-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gbd5.tst	msmh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1616	3080	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	90
PID 3080 wrote to memory of 1616	3080	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	90
PID 3080 wrote to memory of 1616	3080	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	90
PID 3080 wrote to memory of 488	3080	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	91
PID 3080 wrote to memory of 488	3080	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	91
PID 3080 wrote to memory of 488	3080	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	91
PID 1616 wrote to memory of 4988	1616	msmh.exe	92
PID 1616 wrote to memory of 4988	1616	msmh.exe	92
PID 1616 wrote to memory of 4988	1616	msmh.exe	92
PID 4988 wrote to memory of 3188	4988	msmh.exe	93
PID 4988 wrote to memory of 3188	4988	msmh.exe	93
PID 4988 wrote to memory of 3188	4988	msmh.exe	93
PID 488 wrote to memory of 1728	488	emailextractor.exe	95
PID 488 wrote to memory of 1728	488	emailextractor.exe	95
PID 488 wrote to memory of 1728	488	emailextractor.exe	95

C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\msmh.exe
  "C:\Users\Admin\AppData\Local\Temp\msmh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\msmh.exe
    C:\Users\Admin\AppData\Local\Temp\msmh.exe b
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\msmh.exe"
      4⤵
      PID:3188
- C:\Users\Admin\AppData\Local\Temp\emailextractor.exe
  "C:\Users\Admin\AppData\Local\Temp\emailextractor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\INS1B05.tmp
    C:\Users\Admin\AppData\Local\Temp\INS1B05.tmp /SL2 C:\Users\Admin\AppData\Local\Temp\emailextractor.exe 695216 698160 59904
    3⤵
    - Executes dropped EXE
    PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INS1B05.tmp

Filesize
309KB

MD5
428e857334568f7c6b3d81470eafa938

SHA1
e255c1c5c9386cca77ffc19a32485777e63c1757

SHA256
995a9d2fb234c2832f21bebd28bbf02f7400d46e188433ab105d2963b5fdd3d7

SHA512
58c9f45eee12060f33500aabaeb919784445322bb7fbfce4909de035932fc4afde6f9506cc6154eb4362d022dde24af66368aab18297759bdb0077e5b2b47db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\emailextractor.exe

Filesize
686KB

MD5
4b1d8cc66e1242f635630004b24485b5

SHA1
63983c61258d46f04c41eb50d9b033127df9eb29

SHA256
13159e26ef2c6c3ff1ed05bdd9c9fbfd7f22eb9dc4ee0c5c187b4769468355c0

SHA512
d24a7727fec154832230c549cd2eaddada3961eb86718b3870591d6bc2d26c8f687132f715065e0f793221999484e571b5e0d3b27937a6f1918a6775cf23fb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\msmh.exe

Filesize
73KB

MD5
5290ea3a0b7371d6efcaf605111f5325

SHA1
89c1876e9d515c6be25e1dc80b5a577c883e3459

SHA256
d0009dbcb51202b589b359903f1181c2ca00f5d475dfc7e8af69904cc09360b3

SHA512
8d3a839ee106c4ac786a373b27e97665b180c75ff3bd5f3372f4f2fc0ad49b0a8b50d806a36d402282b4b523992fc6b9cb1eefea6fc24ac0b5d090286b0320d1

Download Submit
memory/488-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-12-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/1616-20-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/1728-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3080-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3080-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4988-19-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/4988-26-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing