a748dfd149c8e1f9d390b2c4a9f2646d97da3bebc25940a2fa08335221c2a898

General

Target

103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
Size

706KB
MD5

103c2fe0fd8d81d0179e9831f5091bce
SHA1

c85bf81b22f92002da99ea45513ee4f48a765324
SHA256

a748dfd149c8e1f9d390b2c4a9f2646d97da3bebc25940a2fa08335221c2a898
SHA512

fa7a2d3eef2072d20719df535672c2b417f3759faceabdaabc9d4b6708722e90c8941e7296990f9a58d2d14367f3d13af68f0e20bdd47b801ab03a2633c49561
SSDEEP

12288:CdrAofT5h6l0Lbl8gWsur96h73dvfDqF3Z4mxxsT2A6NgHP9o/l3h6iW:CiO5saLx7ur9ENXWQmXsT25GleTFW

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 2 IoCs

pid	Process
4240	3.exe
4188	RunMgr.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RunMgr.EXE	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 4240	2916	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	92
PID 2916 wrote to memory of 4240	2916	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	92
PID 2916 wrote to memory of 4240	2916	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	92
PID 4240 wrote to memory of 4188	4240	3.exe	94
PID 4240 wrote to memory of 4188	4240	3.exe	94
PID 4240 wrote to memory of 4188	4240	3.exe	94
PID 4240 wrote to memory of 1904	4240	3.exe	95
PID 4240 wrote to memory of 1904	4240	3.exe	95
PID 4240 wrote to memory of 1904	4240	3.exe	95
PID 4240 wrote to memory of 4164	4240	3.exe	96
PID 4240 wrote to memory of 4164	4240	3.exe	96
PID 4240 wrote to memory of 4164	4240	3.exe	96

C:\Users\Admin\AppData\Local\Temp\103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\RunMgr.EXE
    "C:\Windows\RunMgr.EXE"
    3⤵
    - Executes dropped EXE
    PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del %SystemRoot%\Debug.exe
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe > nul
    3⤵
    PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
340KB

MD5
e860f2c1c383b29df93336cef2e7a661

SHA1
22d83ee05689d50cd69713fa8f3abd0dc34f41bc

SHA256
0dd5d75041c4475490f6f4c6dc8cb5d04f1e22842460937ca3efa8e6ec863e88

SHA512
e22bd759ef1a1a33b274d395998c4a5615103623574c43a01b731246b553577d699a7ea44db8dcd961956a26535f7077202ed76b67692a47bd6141cbdf45292b

Download Submit
C:\Windows\RunMgr.EXE

Filesize
290KB

MD5
02182f44ae69e7e780515c29ebe0923d

SHA1
b2ffbef6781db5dd6786937d9c3f9c701d4b5949

SHA256
d8dc80b1c28afa0c11fca2f4ef5b49351ea0c7e8dd14e8940d5be25cad6e84b0

SHA512
3e0fac29e7270c51db0d8614f6c39236c5bb3ccd2a6b80de33022ce41c16849337b9e48382fa9ad3626c34896f007e55ea143e2a18767f0fc6c0bfa93cac780d

Download Submit
memory/2916-7-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-13-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-6-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-0-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-9-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-8-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-5-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-10-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-12-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-4-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-14-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-11-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-15-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-3-0x0000000001068000-0x0000000001069000-memory.dmp

Filesize
4KB

Download
memory/2916-28-0x0000000001068000-0x0000000001069000-memory.dmp

Filesize
4KB

Download
memory/2916-23-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2916-1-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/4188-31-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/4240-21-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads