c00ff70192ba719256d19e2f4da895fe3ec2cc2bbb79d7e0aa9c37b85e399983

General

Target

253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe
Size

299KB
MD5

253db1fbd397b5b1dac7cf07863fd70d
SHA1

64094c2f2340d63f6d4bc3f25f61e5f865282f76
SHA256

c00ff70192ba719256d19e2f4da895fe3ec2cc2bbb79d7e0aa9c37b85e399983
SHA512

0b8c366a77a40b5c32f22fac79539558e10334e676a070f41935be51d63cc83059100e94cd7eb687d3a8b87a8353f3fe7062a11ec0554755edb324a4df51eea2
SSDEEP

6144:tcWMJJhqryYP/AarB8JZqWLXPIbgVLA3B1YajIuwkFzcz7CfcREdmOfOJN:tczJJhqrVPYhqWbYJnYajIEgzumEQOCN

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
412	autofx.exe
3844	fxinst.exe
2232	Microsys.dll

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fxinst.exe = "\"C:\\Program Files\\autofx\\fxinst.exe\""	fxinst.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\autofx\__tmp_rar_sfx_access_check_240643109	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe
File created	C:\Program Files (x86)\autofx\autofx.exe	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\autofx\autofx.exe	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe
File created	C:\Program Files\autofx\fxplay.exe	autofx.exe
File created	C:\Program Files\autofx\fxinst.exe	autofx.exe
File created	C:\Program Files\autofx\Microsys.dll	autofx.exe
File opened for modification	C:\Program Files\autofx\Microsys.dll	autofx.exe
File opened for modification	C:\Program Files (x86)\autofx	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
412	autofx.exe
412	autofx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 412	4308	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe	90
PID 4308 wrote to memory of 412	4308	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe	90
PID 4308 wrote to memory of 412	4308	253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe	90
PID 412 wrote to memory of 3844	412	autofx.exe	91
PID 412 wrote to memory of 3844	412	autofx.exe	91
PID 412 wrote to memory of 3844	412	autofx.exe	91
PID 412 wrote to memory of 2232	412	autofx.exe	105
PID 412 wrote to memory of 2232	412	autofx.exe	105
PID 412 wrote to memory of 2232	412	autofx.exe	105

C:\Users\Admin\AppData\Local\Temp\253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\253db1fbd397b5b1dac7cf07863fd70d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files (x86)\autofx\autofx.exe
  "C:\Program Files (x86)\autofx\autofx.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Program Files\autofx\fxinst.exe
    "C:\Program Files\autofx\fxinst.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3844
- - C:\Program Files\autofx\Microsys.dll
    "C:\Program Files\autofx\Microsys.dll"
    3⤵
    - Executes dropped EXE
    PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3760,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=2792 /prefetch:8
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\autofx\autofx.exe

Filesize
585KB

MD5
709fd67f58721e614c3404ce71650c75

SHA1
934d7098c9d4328cd2eb9b5a3d418692a96e9e7a

SHA256
4afa33bc8e7d8de4d756a130e11fb750236c117b0b75a404c808a3567de4c64e

SHA512
39f64fcf61f02d5f27b4d667e4c486c52742e6c7b6c86c01df5c00f800646f89a2378ae3b892baead470499fb8ea071c6567906ece7de59f979d528fed7b3497

Download Submit
C:\Program Files\autofx\Microsys.dll

Filesize
27KB

MD5
c8960a44334e5890771bb70ea2c6ecbe

SHA1
fdbffbd5e0387be19ac5cf4ef346adb6bbefe9e6

SHA256
80aac9bfd563788e1907c554a77b89f7bd17bc3efd97dd68e979f718b2679b2f

SHA512
c5e41068806ec118f519021e7a0a402e73b682d6b0f949a76babbe976b62bd6372812e4af823280f99005a474d85f57e8fc11dab375b0d84d9454af57ad6f52b

Download Submit
C:\Program Files\autofx\fxinst.exe

Filesize
81KB

MD5
a23dcaf89be940cba641b1c7950db760

SHA1
8cf755fb813dc8f92fe79a40b195fe01047ddb2a

SHA256
405b2a514a10bfaab952c2aaaa9d852aae99683d88048d9ec0c211cf5f37ec90

SHA512
b3b15f1732883f5aafc9dd86cc57c9648cb947538a721a3395952c3a632e0475976797c200bc5ba0aac78229f35025b64291c7c8a74da4721dbff34ba4ced6bc

Download Submit
memory/412-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/412-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2232-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3844-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads