6d05cf45fbb1431f62c698e21d7d251f21691aa78af950185ad586fd9f1e8d62

General

Target

0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe
Size

101KB
MD5

0828f50beb7e8c6d0a00f00c7ff68eb6
SHA1

bc9615e5a7807e75112e859d5a967ae372d2482c
SHA256

6d05cf45fbb1431f62c698e21d7d251f21691aa78af950185ad586fd9f1e8d62
SHA512

df1ae5dc9e7c1a1de17fbaa0ae757d7e25694e616f9b6e015d3a5758f2e7755a8e950d41b24fd1fea6ea39503b53bd438b85ff54a03d1786efbefb1c081c5b99
SSDEEP

1536:RWIF+FRqm30K9V39/DotX5kJufh69RGxbVGNDas20mRuYWsRnt3JgraylxrBgCcP:RlFYqa3ZcX/h2G5IsluYWsltNmLS

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
6128	msiconf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe = "msiconf.exe"	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msiconf.exe	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiconf.exe	msiconf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64	msiconf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 6128	3608	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe	81
PID 3608 wrote to memory of 6128	3608	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe	81
PID 3608 wrote to memory of 6128	3608	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe	81
PID 3608 wrote to memory of 10780	3608	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe	82
PID 3608 wrote to memory of 10780	3608	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe	82
PID 3608 wrote to memory of 10780	3608	0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0828f50beb7e8c6d0a00f00c7ff68eb6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\SysWOW64\msiconf.exe
  C:\Windows\system32\msiconf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:6128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0828F5~1.EXE >> nul
  2⤵
  PID:10780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Thumbs.db

Filesize
14B

MD5
5578892d9ddb5adff6009d5312cf5a97

SHA1
1f10e0a0ad0064eeacf44a730365f9e2078ac1c8

SHA256
12f4892402b2bce9b6a88417d2187a1d76d524c83616b20b5f9a2f5b54147a80

SHA512
38bdeac13634f10711023d3a6e8a9d4b1a66441de561b3db98d62aceaacd4e08beb0f2d8dfd157a063f28a9e8bfd5c6b9f385c9fb0212dca3f89b491fb566d8c

Download Submit
C:\Windows\SysWOW64\msiconf.exe

Filesize
101KB

MD5
0828f50beb7e8c6d0a00f00c7ff68eb6

SHA1
bc9615e5a7807e75112e859d5a967ae372d2482c

SHA256
6d05cf45fbb1431f62c698e21d7d251f21691aa78af950185ad586fd9f1e8d62

SHA512
df1ae5dc9e7c1a1de17fbaa0ae757d7e25694e616f9b6e015d3a5758f2e7755a8e950d41b24fd1fea6ea39503b53bd438b85ff54a03d1786efbefb1c081c5b99

Download Submit
memory/3608-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-53-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-49-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-47-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads