093bd19789e92ff9270976c39e4585ce0ffdaad33efd80fc17b77f45acc61faf

General

Target

229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe
Size

75KB
MD5

229de532314f23eac3bf6e977ee4f9fe
SHA1

c625beca5a2df7ba9cb62f36ad866b75488de074
SHA256

093bd19789e92ff9270976c39e4585ce0ffdaad33efd80fc17b77f45acc61faf
SHA512

569586d115b56e853612277694ecb0455e98b0a7b599ebaeea6567c595f658bf781a89a21c04e848c5e9c468d2c22c6a65b4b131ec5bd43fd667f8995488d672
SSDEEP

1536:O96bq+91nioxizwg8LAlqVTY3cHIaJQ3sXcEscy1RUGo1NeeY:wx2Ri8gkZwI5JQ3P351RPorY

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	360RES~1.EXE

Executes dropped EXE 3 IoCs

pid	Process
4296	360RES~1.EXE
5040	juwnny.exe
3440	juwnny.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\juwnny.exe	360RES~1.EXE
File opened for modification	C:\Program Files\Internet Explorer\juwnny.exe	360RES~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4612	3440	WerFault.exe	88

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4296	360RES~1.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4296	4072	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	82
PID 4072 wrote to memory of 4296	4072	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	82
PID 4072 wrote to memory of 4296	4072	229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe	82
PID 4296 wrote to memory of 5040	4296	360RES~1.EXE	86
PID 4296 wrote to memory of 5040	4296	360RES~1.EXE	86
PID 4296 wrote to memory of 5040	4296	360RES~1.EXE	86
PID 4296 wrote to memory of 5036	4296	360RES~1.EXE	87
PID 4296 wrote to memory of 5036	4296	360RES~1.EXE	87
PID 4296 wrote to memory of 5036	4296	360RES~1.EXE	87
PID 3440 wrote to memory of 1760	3440	juwnny.exe	89
PID 3440 wrote to memory of 1760	3440	juwnny.exe	89

C:\Users\Admin\AppData\Local\Temp\229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\229de532314f23eac3bf6e977ee4f9fe_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Program Files\Internet Explorer\juwnny.exe
    "C:\Program Files\Internet Explorer\juwnny.exe"
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE > nul
    3⤵
    PID:5036

C:\Program Files\Internet Explorer\juwnny.exe
"C:\Program Files\Internet Explorer\juwnny.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 604
  2⤵
  - Program crash
  PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3440 -ip 3440
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\juwnny.exe

Filesize
30.4MB

MD5
1c4339cf51e3562ed20923225c0ed81b

SHA1
c386425e917c8cb33640b60a0d03814ed0d56b10

SHA256
c44d7ed9b300dd1b514e4575322a04a2570aa02c4414a8f9491777973376830b

SHA512
4a15638e2103bb937f6ec0b11f1cc063ae93dd3af7737a29e37b5dd2161321fbb5acd231a45263b8d97838ba9a7432d32169b796f91cc7e3cf76f9a6dcb95252

Download Submit
C:\Program Files\Internet Explorer\juwnny.exe

Filesize
3.7MB

MD5
05f157b138f34a69526b5c9bc273969b

SHA1
a3df20d02cb5053cd041ac24188b3bfc3005d837

SHA256
58ee8cc5ae5849a73f82d5e676acfe456aa1993d225dae997c1101b91de7ba69

SHA512
1cb67c6ee3ce283112f877395d670430329d371f3c91915eaf26759eddf650032017c28260da810d1404233e7c578a52130b0475cc0e4ac9af3bde235f4adb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360RES~1.EXE

Filesize
72KB

MD5
5605b899606ca775dd8a6e94e618dae9

SHA1
457107597e33810622fcab56372475aa14e91c90

SHA256
2fa34e298812aa994c787e2d33ae1091e99d93e1eed08a11afa538abb3292296

SHA512
c126057b1a7161ccef97eef495b237a052af766707abfa96ceb4dee56a3d347fc3867afd90181b8897d2e0d17c9bfb98a1362a06add58fe5138793eb4fca3b40

Download Submit
memory/3440-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3440-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-0-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/4072-23-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/4296-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads