a90f013f0c96b10c341af84260baa2ed09ca9b5ca6b1b79281f1ea623f7f854d

General

Target

087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
Size

92KB
MD5

087517cda95d9630a0cba4b824a28234
SHA1

7d16ee8422b56c720561517d68cc41f997873369
SHA256

a90f013f0c96b10c341af84260baa2ed09ca9b5ca6b1b79281f1ea623f7f854d
SHA512

522a6b47c5fdee25c4111b32675c3f211dccc9bcbc9182242faf987fbba688b48c821579af172edf88c4a8fada18966846f0bd8c3b5b93aa9881f5ccd1dcc39e
SSDEEP

1536:W7FDGo4K9Ty+ihfQxtQg1nhFc9pJpk+tCwmg+Q6buWkJ2/tnJs1vk1PsG4evCuJm:yDGACQxjJGJpTP65vFJOEvCam

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	jusched.exe

Executes dropped EXE 2 IoCs

pid	Process
4528	jusched.exe
2292	jusched.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4548 set thread context of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4528 set thread context of 2292	4528	jusched.exe	83

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2348	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
2348	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 4548 wrote to memory of 2348	4548	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	81
PID 2348 wrote to memory of 4528	2348	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	82
PID 2348 wrote to memory of 4528	2348	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	82
PID 2348 wrote to memory of 4528	2348	087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe	82
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 4528 wrote to memory of 2292	4528	jusched.exe	83
PID 2292 wrote to memory of 464	2292	jusched.exe	84
PID 2292 wrote to memory of 464	2292	jusched.exe	84
PID 2292 wrote to memory of 464	2292	jusched.exe	84

C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe" "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\087517cda95d9630a0cba4b824a28234_JaffaCakes118.exe
        5⤵
        
        PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Filesize
92KB

MD5
af9228b82b03fc212fc333a020884bba

SHA1
2de620611b3708c745606c97ee13f415e911701d

SHA256
e83818632ada773a6cdf14a7d6d17a67064a22f130323891b8db09efe72b3edf

SHA512
554ac7766096d137e173d077dac96374034357ed9d6223fd5a20d9729d9cb4a18e8f19dbbac3b2c1fbb5cc7991df808a526ca2bf114365de3e212fd2c4b093a5

Download Submit
memory/2292-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2348-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2348-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2348-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing