99039a7621ede88aefaba61590583788a027dc30fefcdaecee857b8d87007119

General

Target

146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
Size

60KB
MD5

146c92fdbc193e5bbf4844c45cfa6e57
SHA1

f62dd363b3a046912d7751f5faddf0ce1e7197a2
SHA256

99039a7621ede88aefaba61590583788a027dc30fefcdaecee857b8d87007119
SHA512

738dcd158606494a6b56477b6353321f597023781ddba41833120be14c7d2f776be508f9c638cc3dfc436d4928d3a17645ffdfe5ba389756a4b535051ec21949
SSDEEP

1536:V3cpyORJLuB4P4AJJv4Romu/v4ptqrmX+lE8QG+Q:V3c1fP4AJJv45SlwM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe

Loads dropped DLL 9 IoCs

pid	Process
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Internat Explorar\Desktop.ini	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\Internat Explorar\Desktop.ini	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tbgw.ico	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
File opened for modification	C:\Windows\tbgw.ico	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1500	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	83
PID 3932 wrote to memory of 1500	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	83
PID 3932 wrote to memory of 1500	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	83
PID 3932 wrote to memory of 2644	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	85
PID 3932 wrote to memory of 2644	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	85
PID 3932 wrote to memory of 2644	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	85
PID 2644 wrote to memory of 952	2644	cmd.exe	87
PID 2644 wrote to memory of 952	2644	cmd.exe	87
PID 2644 wrote to memory of 952	2644	cmd.exe	87
PID 3932 wrote to memory of 1648	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	89
PID 3932 wrote to memory of 1648	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	89
PID 3932 wrote to memory of 1648	3932	146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\146c92fdbc193e5bbf4844c45cfa6e57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move "C:\Users\Admin\AppData\Local\Temp\Internat Explorar" "C:\Users\Public\Desktop\Internat Explorar"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib "C:\Users\Public\Desktop\Internat Explorar" +s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Public\Desktop\Internat Explorar" +s
    3⤵
    - Views/modifies file attributes
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat" "
  2⤵
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx3F5D.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3F5D.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat

Filesize
214B

MD5
887c2695206283def0ee5c82e7ac1039

SHA1
5b6409a6d4bda7a0f7c00213df8507d1d67818e2

SHA256
0eefc1fb29c5e383a942ee243665605863e7bc0f0bf00203b6027022da47bae2

SHA512
39926a4c0faae053b39c3c58ef710266a300e03cf956b330b3394a38c3404e803e40fb11ca04aac4af48dc4ef65e15c766f6279737e263584e4776c9921c6510

Download Submit
C:\Users\Public\Desktop\ÌÔ ±¦ Íø ¹º.lnk

Filesize
1010B

MD5
0241624317d179d69afaf8bdd85e6603

SHA1
293e70e2d3ef82aeaafb1edf0f4811290c8e10e6

SHA256
3808e5ceae259f656b45361840daecff6c0e753a2e03cc490d7ce550ffb8b56f

SHA512
806b249b8dc3d6865b96b5a63f1e0b74e2b783a2d58151ceadf5d3b53f66da666300bbde1c8c48a6b26d8c0e98ed60f4b50429b9770b251a34e91082dc2e0aab

Download Submit

Analysis

Sharing