c0905037542b6509fdc3cc5146ab6c181b1d799ab9ea01d84aec78c574e9a966

General

Target

0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
Size

1.0MB
MD5

0a0e21a4c70a1bfe6e97f39a1a79c639
SHA1

c0594ce0f3dd3b172a87618413a9219f34b71a26
SHA256

c0905037542b6509fdc3cc5146ab6c181b1d799ab9ea01d84aec78c574e9a966
SHA512

40c09f46eea499da18330972d71cb9ebbaca3f71f43fd63b034fb49b4712f25435bddb3c330bd5a7aa14df4c6b037063d7a05296242158bf4044b4671708aebd
SSDEEP

6144:LlJVQaL9M2Jktja5Uw1VQ3QBohoh/ACdVVzS2S1iTXuKUn2X5A2tyfDvdN9RS:Zb5eEUwxAoNZdVBS2S8XuKUn2ztypZS

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 3 IoCs

pid	Process
4364	MPG.exe
2944	server.exe
3660	winlogon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogon.exe"	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 4364	2152	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	83
PID 2152 wrote to memory of 4364	2152	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	83
PID 2152 wrote to memory of 2944	2152	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	84
PID 2152 wrote to memory of 2944	2152	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	84
PID 2152 wrote to memory of 2944	2152	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	84
PID 2944 wrote to memory of 3660	2944	server.exe	85
PID 2944 wrote to memory of 3660	2944	server.exe	85
PID 2944 wrote to memory of 3660	2944	server.exe	85

C:\Users\Admin\AppData\Local\Temp\0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\MPG.exe
  "C:\Users\Admin\AppData\Local\Temp\MPG.exe"
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MPG.exe

Filesize
267KB

MD5
7eae382c9ae3926316660c6ec8656f0e

SHA1
1ef1e41e0a6e5d23f1ddcde471c704c92303a982

SHA256
b7c46d3198f75d2ae544adcf9c25e1fadefb06c8fb6656f3b72e3c4c653cbef5

SHA512
5dcfd1ae6db3f8bff9d88dcbef82406197b515f63dac3f540319e215924b59e6f49ce91aa28fe8dadf081150ea158bc2b69d7d51234e5ac044962b9ac29e98a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
741KB

MD5
2a0ee7cb8a71f66a3e8a915b313d6386

SHA1
c092193b749664a3a5aec263cded84fb59fa0802

SHA256
4607cd8041a9047722b8b81c3c72b53beb03decc8e1f7389fcecaca55da4ce85

SHA512
666fa5876161d3e3dbf964c85f7d9476ca90e9a28c5cf986f1362ab36ed5783e2d316e1f4569a1b285259d697947fd9f1431de81fd840bc3998a8d960a681e7b

Download Submit
memory/2152-2-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download
memory/2152-4-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download
memory/2152-67-0x00007FFFD4975000-0x00007FFFD4976000-memory.dmp

Filesize
4KB

Download
memory/2152-65-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download
memory/2152-0-0x00007FFFD4975000-0x00007FFFD4976000-memory.dmp

Filesize
4KB

Download
memory/2944-61-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/3660-64-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/4364-51-0x000000001B6D0000-0x000000001BB9E000-memory.dmp

Filesize
4.8MB

Download
memory/4364-53-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download
memory/4364-52-0x000000001BC80000-0x000000001BD1C000-memory.dmp

Filesize
624KB

Download
memory/4364-62-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/4364-63-0x000000001BDE0000-0x000000001BE2C000-memory.dmp

Filesize
304KB

Download
memory/4364-24-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download
memory/4364-26-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download
memory/4364-25-0x000000001B150000-0x000000001B1F6000-memory.dmp

Filesize
664KB

Download
memory/4364-68-0x00007FFFD46C0000-0x00007FFFD5061000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads