3f1544912d8e7f9f764a7e97a113b0bd1a7a5063bb4bab76beb7c9ce96385750

General

Target

2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
Size

102KB
MD5

2649e3eaa1e401eaa5d85db45b4ee368
SHA1

1b35e6a09b17acfb47209ef587507768a595ea93
SHA256

3f1544912d8e7f9f764a7e97a113b0bd1a7a5063bb4bab76beb7c9ce96385750
SHA512

0d289313cf88579aca2813818bd74f355327e161a051450739b4a4185f731f5f9748bee275e969428ed69e708e4c174a8e8e6b219ee754a819a8abbaa939865d
SSDEEP

1536:8QhUo9k2tgIz1LcYN2sknj36nvALDfcaTEhZP35FafD/RjRopFvI/FYLwNIc8lPC:LP9k2tgIzDC2aJDeEsXcXPBQA6S4Q

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2148	audiold.exe
4792	WIDHost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio Driver = "\"C:\\Users\\Admin\\AppData\\Roaming\\audiold.exe\""	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows-Network Component = "\"C:\\Windows\\system32\\WIDHost.exe\""	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WIDHost.exe	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\WIDHost.exe	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	audiold.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WIDHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WIDHost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	audiold.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
2148	audiold.exe
2148	audiold.exe
2148	audiold.exe
2148	audiold.exe
2148	audiold.exe
2148	audiold.exe
2148	audiold.exe
2148	audiold.exe
4792	WIDHost.exe
4792	WIDHost.exe
4792	WIDHost.exe
4792	WIDHost.exe
4792	WIDHost.exe
4792	WIDHost.exe
4792	WIDHost.exe
4792	WIDHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
Token: SeDebugPrivilege	2148	audiold.exe
Token: SeDebugPrivilege	4792	WIDHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2148	2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe	91
PID 2344 wrote to memory of 2148	2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe	91
PID 2344 wrote to memory of 4792	2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe	92
PID 2344 wrote to memory of 4792	2344	2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2649e3eaa1e401eaa5d85db45b4ee368_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\audiold.exe
  "C:\Users\Admin\AppData\Roaming\audiold.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\system32\WIDHost.exe
  "C:\Windows\system32\WIDHost.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4100,i,384704133665252524,7723904513810765818,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:8
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\audiold.exe

Filesize
102KB

MD5
2649e3eaa1e401eaa5d85db45b4ee368

SHA1
1b35e6a09b17acfb47209ef587507768a595ea93

SHA256
3f1544912d8e7f9f764a7e97a113b0bd1a7a5063bb4bab76beb7c9ce96385750

SHA512
0d289313cf88579aca2813818bd74f355327e161a051450739b4a4185f731f5f9748bee275e969428ed69e708e4c174a8e8e6b219ee754a819a8abbaa939865d

Download Submit
memory/2148-26-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/2148-38-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/2148-31-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/2148-30-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/2344-3-0x000000001B220000-0x000000001B282000-memory.dmp

Filesize
392KB

Download
memory/2344-0-0x00007FFF7D985000-0x00007FFF7D986000-memory.dmp

Filesize
4KB

Download
memory/2344-2-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/2344-32-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/2344-1-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/4792-33-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/4792-34-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/4792-35-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download
memory/4792-37-0x00007FFF7D6D0000-0x00007FFF7E071000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads