d9d79e7478c09558e4a06fdf9c48fee1cbf187931e4232d4d28d0ddf44557d2d

General

Target

0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe
Size

388KB
MD5

0999706a77ce9ddada24c25e0f618b87
SHA1

48b8c02901efbf0fa58bb0b0ea103e3bbbe7270c
SHA256

d9d79e7478c09558e4a06fdf9c48fee1cbf187931e4232d4d28d0ddf44557d2d
SHA512

8032f4e860edaa3e457cdd5fd44d3c5b758b00bb30e31052f68de997e49750cffe62dacdb85d8223b4eb472c41d1a63cdb51456608a3a747ed8673823404a7fe
SSDEEP

3072:d5tBKO/7VPj16dAr7ONWKARrJS9DykSo5IgujaPZBF+YbW6jBYplqKLc+2JVn5oj:KMxPjA+CNWKAlc9VSoSYF+2K6V+iw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	fvugun.exe

Loads dropped DLL 1 IoCs

pid	Process
4884	fvugun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4616	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	fvugun.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4884	fvugun.exe
4884	fvugun.exe
4884	fvugun.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4884	fvugun.exe
4884	fvugun.exe
4884	fvugun.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 388	4708	0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe	83
PID 4708 wrote to memory of 388	4708	0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe	83
PID 4708 wrote to memory of 388	4708	0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe	83
PID 388 wrote to memory of 4616	388	cmd.exe	85
PID 388 wrote to memory of 4616	388	cmd.exe	85
PID 388 wrote to memory of 4616	388	cmd.exe	85
PID 388 wrote to memory of 5000	388	cmd.exe	87
PID 388 wrote to memory of 5000	388	cmd.exe	87
PID 388 wrote to memory of 5000	388	cmd.exe	87
PID 388 wrote to memory of 4884	388	cmd.exe	91
PID 388 wrote to memory of 4884	388	cmd.exe	91
PID 388 wrote to memory of 4884	388	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4708 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0999706a77ce9ddada24c25e0f618b87_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\fvugun.exe -f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 4708
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:5000
- - C:\Users\Admin\AppData\Local\fvugun.exe
    C:\Users\Admin\AppData\Local\fvugun.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fvugun.exe

Filesize
388KB

MD5
0999706a77ce9ddada24c25e0f618b87

SHA1
48b8c02901efbf0fa58bb0b0ea103e3bbbe7270c

SHA256
d9d79e7478c09558e4a06fdf9c48fee1cbf187931e4232d4d28d0ddf44557d2d

SHA512
8032f4e860edaa3e457cdd5fd44d3c5b758b00bb30e31052f68de997e49750cffe62dacdb85d8223b4eb472c41d1a63cdb51456608a3a747ed8673823404a7fe

Download Submit
memory/4708-0-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-2-0x0000000001001000-0x0000000001002000-memory.dmp

Filesize
4KB

Download
memory/4708-3-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-1-0x0000000000570000-0x0000000000595000-memory.dmp

Filesize
148KB

Download
memory/4708-5-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-6-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-7-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-8-0x0000000000570000-0x0000000000595000-memory.dmp

Filesize
148KB

Download
memory/4884-14-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-23-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-17-0x0000000000E60000-0x0000000000F5D000-memory.dmp

Filesize
1012KB

Download
memory/4884-16-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-15-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-19-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-21-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-13-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-25-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-27-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-30-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-32-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-34-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download
memory/4884-36-0x0000000001000000-0x00000000010FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing