1a0c3cfb66d8dc190cc20b32700819efe4dc4700c53c2b5c8640132e847b76bd

General

Target

24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
Size

473KB
MD5

24b027ff78be2e6409342b6c60e07f6e
SHA1

ab5ec63f9ed90185ea2aa27bc6c077c88549daf5
SHA256

1a0c3cfb66d8dc190cc20b32700819efe4dc4700c53c2b5c8640132e847b76bd
SHA512

86032513e7b4cc5ccf3f7b84085807587c5f59235c707a4fc981ff6d472b326840ce66ad20b10824927b5e9da263f4e6004dbd07ef1af2a1fe33f0271b6af188
SSDEEP

12288:bXabaKHML5h0cp3+iJjqw4/nL2Ir2H7pETk:LiS7/p3+ioJPiQiET

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3236	WED.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WED.exe"	WED.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
3236	WED.exe
3236	WED.exe
3236	WED.exe
3236	WED.exe
3236	WED.exe
3236	WED.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3236	2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe	81
PID 2368 wrote to memory of 3236	2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe	81
PID 2368 wrote to memory of 3236	2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe	81
PID 2368 wrote to memory of 4560	2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe	82
PID 2368 wrote to memory of 4560	2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe	82
PID 2368 wrote to memory of 4560	2368	24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24b027ff78be2e6409342b6c60e07f6e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\WED.exe
  "C:\Users\Admin\AppData\Local\Temp\WED.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:3236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c deleteself.bat
  2⤵
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WED.exe

Filesize
473KB

MD5
24b027ff78be2e6409342b6c60e07f6e

SHA1
ab5ec63f9ed90185ea2aa27bc6c077c88549daf5

SHA256
1a0c3cfb66d8dc190cc20b32700819efe4dc4700c53c2b5c8640132e847b76bd

SHA512
86032513e7b4cc5ccf3f7b84085807587c5f59235c707a4fc981ff6d472b326840ce66ad20b10824927b5e9da263f4e6004dbd07ef1af2a1fe33f0271b6af188

Download Submit
C:\Users\Admin\AppData\Local\Temp\deleteself.bat

Filesize
226B

MD5
3ecb1ff6ff93d28d6a745e60af8acc2a

SHA1
d997e31fc6db111fba3a7598010984e833d87815

SHA256
f932ee6f0c5dfadaec4d28ae47f1fdddf2e2f1f181f914b5498175d28a6eb3fd

SHA512
0336fa19d88ce7a4165adda982b40119e26cb21a57d73978690ee38d45bdd7164f302231012d070900fe232ab8907142373d17e2d1dbf627a258b706498d8d87

Download Submit
memory/2368-16-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2368-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3236-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-18-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-19-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3236-14-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3236-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-23-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-24-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-26-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-29-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3236-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads