ce9ef1f5249afd70047e61f7515813d8683b536928517cde180e1acd2e1941c6

General

Target

1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe
Size

4.4MB
MD5

1b824cd220a44f8fd840558753b33d65
SHA1

4815b0a76111b581784a395e24c66fc0c5b22763
SHA256

ce9ef1f5249afd70047e61f7515813d8683b536928517cde180e1acd2e1941c6
SHA512

fa69db4162edf9d10d07201ac5e085828c2537571e2941588c4e8174d2cf019b501184e87bf3a37feab8952c9d7698a0cb22160c35ea7f4a23075f4f2df9d479
SSDEEP

98304:izgmcGU8jrHdFZ9HLbZOCwn27CKT+y/dyVCBSwfXfmYAqL+5L5D/sBoyK:S0U9FZ9rb4n27p31ZBSGXuXq65tDsor

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ebook.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	ebook.exe
764	ebook.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023266-5.dat	upx
behavioral2/memory/2964-9-0x0000000000400000-0x00000000005D0000-memory.dmp	upx
behavioral2/memory/2964-24-0x0000000000400000-0x00000000005D0000-memory.dmp	upx
behavioral2/memory/2964-45-0x0000000000400000-0x00000000005D0000-memory.dmp	upx
behavioral2/memory/764-47-0x0000000000400000-0x00000000005D0000-memory.dmp	upx
behavioral2/memory/764-50-0x0000000000400000-0x00000000005D0000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	ebook.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ebk	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\Defaulticon\ = "C:\\Users\\Admin\\Documents\\My EBKs\\resources\\ebook.exe"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ebk	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\Defaulticon	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ebk\ = "digitaldm"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\shell\open	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ebook.exe	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ebook.exe\shell	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\shell\open\command	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\shell\open\command\ = "C:\\Users\\Admin\\Documents\\My EBKs\\resources\\ebook.exe %1"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\shell\open\command	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\applications\ebook.exe\shell\open\command	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\applications	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\Defaulticon\ = "C:\\Users\\Admin\\Documents\\My EBKs\\resources\\ebook.exe"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\applications\ebook.exe\shell\open\command	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ebook.exe\shell\open\command\ = "C:\\Users\\Admin\\Documents\\My EBKs\\resources\\ebook.exe %1"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\Defaulticon	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\shell	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\digitaldm\shell\open\command\ = "C:\\Users\\Admin\\Documents\\My EBKs\\resources\\ebook.exe %1"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ebook.exe\shell\open	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ebook.exe\shell\open\command	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ebook.exe\shell\open\command\ = "C:\\Users\\Admin\\Documents\\My EBKs\\resources\\ebook.exe %1"	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ebk\ = "digitaldm"	ebook.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2964	ebook.exe
2964	ebook.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2964	ebook.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2964	3604	1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe	91
PID 3604 wrote to memory of 2964	3604	1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe	91
PID 3604 wrote to memory of 2964	3604	1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe	91
PID 2964 wrote to memory of 764	2964	ebook.exe	95
PID 2964 wrote to memory of 764	2964	ebook.exe	95
PID 2964 wrote to memory of 764	2964	ebook.exe	95

C:\Users\Admin\AppData\Local\Temp\1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b824cd220a44f8fd840558753b33d65_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\drop\ebook.exe
  "C:\Users\Admin\AppData\Local\Temp\drop\ebook.exe" HSBC_RedandWhiteAprJun08_1272.ebk /sn
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\Documents\My EBKs\resources\ebook.exe
    "C:\Users\Admin\Documents\My EBKs\resources\ebook.exe" HSBC_RedandWhiteAprJun08_1272.ebk
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drop\HSBC_RedandWhiteAprJun08_1272.ebk

Filesize
4.0MB

MD5
dabdea7d526549c9b381206008f9b07a

SHA1
68897f4c29fe6e3b3b23b49928ef966d27d6ceda

SHA256
988caaf1379907ddd84cefd8e5f1745f3ad2f26bef99710168aeaf98f538cc3c

SHA512
144965afb551c2617a211c660192a17854ef1720daf6bbe535517415cd49d062651b310a36abc7065b0f6ed06b857126e69425479f7a0dbb549e60023b630bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\drop\ebook.exe

Filesize
276KB

MD5
98474b76f6e7d12b808f99c65d7d324e

SHA1
b98fd9838fa87e1d95bee2a7521006e8c91d2c6f

SHA256
91960d67071c95b753aa7712ce3e4058e69734fd2005a18ebe527ca476d52cc4

SHA512
39d210de4420facf81a9df6fd760eaa4ab2ddfa7404fe5c5bd7316118214cbedae485e01bfc89d413ffe223c5d923de9734fe1a100316befc849dee04ebd92ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\drop\hsbc.ico

Filesize
9KB

MD5
12241ee654d9e3c44bcdc40009113d35

SHA1
58c216a0ce4a4d47d7272efd9894158718f95fe8

SHA256
d1e4c5cc4c0ef2bb2588eeee05455945184f2a6269842804f72c9f4686ee44c4

SHA512
bb00d00758fc51832f4dd110af67faa7af8bac0b902622d616686efdce654e9ad878f3cd7438556e724c06dab93c654bdf079bec89140a4ec99a1d6a7b1b1ccd

Download Submit
memory/764-47-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download
memory/764-50-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download
memory/2964-9-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download
memory/2964-24-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download
memory/2964-45-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing