9ffcb4b6f0eafb2fc26acd02b8b4899e9545ed89263784a315e890878af2e638

General

Target

21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
Size

105KB
MD5

21f400e29d4ac04f2b8ad90aff8c48b8
SHA1

e8f47fc855b12605acabd96f59f77863f6ad19a8
SHA256

9ffcb4b6f0eafb2fc26acd02b8b4899e9545ed89263784a315e890878af2e638
SHA512

fa58894ad7f82a567671c3bf9cd55b43ac1716e3cf3093902b79fb82cf6c1bbb89ac39634e9bf839ef85a34494e549b6e2ebab29014485e2c687615b7a6b0e20
SSDEEP

768:G1fsvquCjaP+KCCKBY28eC4v3TLT2gu6kst+0TS8HV4zTVu/nVLLV07:G0qu0ZY2N3TA6kswOS0Vqu/li

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	jusched.exe

Executes dropped EXE 2 IoCs

pid	Process
4664	jusched.exe
1760	jusched.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	188.72.230.49
Destination IP	188.72.230.49
Destination IP	188.72.230.49
Destination IP	188.72.230.49
Destination IP	188.72.230.49

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4664 set thread context of 1760	4664	jusched.exe	100

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\7uEl43lm.com	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4872	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
4872	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4896 wrote to memory of 4872	4896	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	86
PID 4872 wrote to memory of 4664	4872	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	97
PID 4872 wrote to memory of 4664	4872	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	97
PID 4872 wrote to memory of 4664	4872	21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe	97
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 4664 wrote to memory of 1760	4664	jusched.exe	100
PID 1760 wrote to memory of 4136	1760	jusched.exe	101
PID 1760 wrote to memory of 4136	1760	jusched.exe	101
PID 1760 wrote to memory of 4136	1760	jusched.exe	101

C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe" "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\21f400e29d4ac04f2b8ad90aff8c48b8_JaffaCakes118.exe
        5⤵
        
        PID:4136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Filesize
105KB

MD5
fb43c9bcac330aa0adc2543a508af0fc

SHA1
976fb6695efce787d0f7447010fb662c7914303f

SHA256
28d8527b422cabc17ba69c19cb06d6c2fcd51f79a1b400781c0783bdfe541bfb

SHA512
638b0c4ed4317d01180e3e03a4276df86643e958516a51f25cbc979ee41a7e5fa8f583a40f45e1346a989afc85a0620b2acc69a514c2da7b0d3dc04d42e3f492

Download Submit
memory/1760-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4664-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4664-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4872-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4872-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4872-6-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/4896-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4896-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing