988f493a8ba71eabcf982cd11b00c24d8117569da1e81a5650a814930a91d5e5

General

Target

199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe
Size

556KB
MD5

199ae7a8bc09f78bfaab752c586d9e44
SHA1

3a73b40cfef0d82dd7d551f6c644322a9d240d90
SHA256

988f493a8ba71eabcf982cd11b00c24d8117569da1e81a5650a814930a91d5e5
SHA512

3fc34d04cceed059573b5cd65101c531cf0f1fbddeab5c7714721d46d9e3ac664a39d83a960849f39e11b2f62edacc3b95202c642bcd32e18e1da1e73e932ea2
SSDEEP

12288:PxaVAh64U5lER+1YPj5Gw5hCcPtYhUm1fez87LG1TsLE1FfD:PxaVxr52CYP/CkYhU67a1TsLE19D

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	j.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3168	j.exe
2696	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\6 5\\l3.lnk\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4472	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3284	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4436	4480	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe	81
PID 4480 wrote to memory of 4436	4480	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe	81
PID 4480 wrote to memory of 4436	4480	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe	81
PID 4436 wrote to memory of 4472	4436	cmd.exe	84
PID 4436 wrote to memory of 4472	4436	cmd.exe	84
PID 4436 wrote to memory of 4472	4436	cmd.exe	84
PID 4436 wrote to memory of 3284	4436	cmd.exe	86
PID 4436 wrote to memory of 3284	4436	cmd.exe	86
PID 4436 wrote to memory of 3284	4436	cmd.exe	86
PID 4480 wrote to memory of 3168	4480	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe	87
PID 4480 wrote to memory of 3168	4480	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe	87
PID 4480 wrote to memory of 3168	4480	199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe	87
PID 3168 wrote to memory of 2696	3168	j.exe	89
PID 3168 wrote to memory of 2696	3168	j.exe	89
PID 3168 wrote to memory of 2696	3168	j.exe	89

C:\Users\Admin\AppData\Local\Temp\199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\199ae7a8bc09f78bfaab752c586d9e44_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\6 5\bat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /im svchost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKCU\software\microsoft\windows\currentversion\run /v adobeupdate /d "\"C:\Users\Admin\AppData\Roaming\6 5\l3.lnk\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3284
- C:\Users\Admin\AppData\Roaming\6 5\j.exe
  "C:\Users\Admin\AppData\Roaming\6 5\j.exe" "C:\Users\Admin\AppData\Roaming\6 5\svchost" -o http://eu.triplemining.com:8344 -u tundermacko_newbit -p 1234
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Roaming\6 5\svchost.exe
    "C:\Users\Admin\AppData\Roaming\6 5\svchost.exe" "-o" "http://eu.triplemining.com:8344" "-u" "tundermacko_newbit" "-p" "1234"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6 5\OpenCL.dll

Filesize
50KB

MD5
6c5bde40d18116e6c592506a51e014da

SHA1
2afcec48a0453c9e8b699b70da0b7b323882cc7d

SHA256
5e37f84046c38b34fd45a7c3f62c68984fb61ebc02d57f878f17a8d97750c6b6

SHA512
a5d41a6575c3b86e07a48422378106970640b1ea6e8ee0426a0c4e7d79320626e14bc3c984376f4890ad2b8e77d17497b6d3592190a7691d31a4f724647e8131

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\bat.bat

Filesize
189B

MD5
bab17c16f9e3c661064c83df2d1b4658

SHA1
a7676d59b0bad23f6d9ac56c38c3c30c7c3539cf

SHA256
2acb3f7cbfccf56261ea600ae674cd191ef6c226d922a50536466e45915e9475

SHA512
8abc532820bd43494baa4d13c74751ab9e813a75f0f0ff1055ee044ad1837edd2430336f1c4a0a80f97c7150774f75300c17ed109b498fa12c4550bd483c36c1

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\j.exe

Filesize
136KB

MD5
935809d393a2bf9f0e886a41ff5b98be

SHA1
1ed3fc1669115b309624480e88c924b7b67e73bb

SHA256
c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c

SHA512
46bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\libcurl-4.dll

Filesize
280KB

MD5
c8dd0d50f5b8676e8a166595f3f1b1d2

SHA1
222116789ac4a5dc3a14d4a480ca907d2151f5bd

SHA256
493d1df5e74c271ce437e2cfd13b5e9dea79d05e286815e8b8541c937fe6ba4c

SHA512
b60e50aaf118d32b57872ef7843526949b2bab6343995f68c11cce26af52ed03d25e475a3d9fd003cf7a6eeb90cd576bbed4e937db2d6ffb2ec5f2caf98e3a8c

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\libusb-1.0.dll

Filesize
173KB

MD5
7f2523dec5fa92c70f3ab13765d799ff

SHA1
f94a6cc07fa8aa680e3776df30e5171ce884fd0e

SHA256
7ceb91390ac581b78be8a18a6eebf7f9124a2460c4f9849ee4c75ec303412062

SHA512
33190cab913efaa7903b1cf1c9525bc2688cc7f954289bd2776e0bf141e4a78fd4f34cf0242e4da8ef30c3c6816da7d22573f645caa3b26571b9bd900dd31a37

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\pdcurses.dll

Filesize
85KB

MD5
1b364ec27b6f4f8879dabadb096a4f64

SHA1
1306650116ed181165d8cbc4098b07c0b08fcd09

SHA256
94995b0560d2ccda7951252397eb152b499454746b75d03479bbfa551def41e4

SHA512
bc7232055b0bd65c92197898b4eef3a6e92e6e8b55280a9f971d7bb147057800c9bc980dd9f10ec155ccf153679d55df3a3997ced04bf1d35d4e6376764e2dbc

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\pthreadGC2.dll

Filesize
66KB

MD5
8bc13c002f91cff22a17f5a5191c1292

SHA1
113b3d47ce52fd13e0c8038257c3ae05f3a1a9ff

SHA256
97c1a2cabfe69b987732a1502dac6cce9c6e31f6f7e9142fc4bc8d92077f2da3

SHA512
e78a607c48e1ff1362aadf298f679f716e0f8ded48cd4b835fe688a9f8cdb4ce8b227c2b71b78826f10285302d414b64082bf500ef471f1342bd4bc7f87e8033

Download Submit
C:\Users\Admin\AppData\Roaming\6 5\svchost.exe

Filesize
434KB

MD5
34ed4d5e131ad520074842f3a4562950

SHA1
639c23a2f56d4c6f48d6ae9f3dc856bbc98d13d3

SHA256
7c789c86b493cda5c10dc802720f8032f547c65c8191a234a2aaba8070520a8b

SHA512
cdaf85e029ac440f3a00b4059f27eaa1dedd8592b0b1dae3554b913bb08f59e01580e68d3fdc589bb2000b7257c445ea5216bc505b54380ce7811fb43ee4839a

Download Submit
memory/2696-63-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2696-66-0x0000000062480000-0x0000000062499000-memory.dmp

Filesize
100KB

Download
memory/2696-65-0x0000000070800000-0x0000000070842000-memory.dmp

Filesize
264KB

Download
memory/2696-64-0x0000000062200000-0x000000006221C000-memory.dmp

Filesize
112KB

Download
memory/2696-67-0x000000006B600000-0x000000006B62F000-memory.dmp

Filesize
188KB

Download
memory/3168-52-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads