d1ac679427fe17e2e3e112430386ed379decf14b6f67dc14719c54509d8e7d61

General

Target

260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe
Size

4.6MB
MD5

260361b36b0c4f55f649b5cc86db046a
SHA1

efec712b253a0e3df0fafcb3cea36807119452f1
SHA256

d1ac679427fe17e2e3e112430386ed379decf14b6f67dc14719c54509d8e7d61
SHA512

a3eee0cacbee688537221930b8ab8d9f1b84105664fad6868a33386033400ed44184771a10542dfa78240d04546f50210f18f2d0b90979fac2108723ed766e39
SSDEEP

98304:aTZcRQU8oqTOQYKC9bf/bzQASqjwW6GKFeuNQdTw4sf8D7k9:aTZ8QvoWO7fT0zqjxRKIu21w4sZ9

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	RunApp.exe

Executes dropped EXE 2 IoCs

pid	Process
4796	RunApp.exe
3164	winsxs.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023487-458.dat	upx
behavioral2/memory/4796-466-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4796-475-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.ini	260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.ini	260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest	winsxs.exe
File created	C:\Windows\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.cat	winsxs.exe
File opened for modification	C:\Windows\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.policy	winsxs.exe
File opened for modification	C:\Windows\winsxs\Manifests	winsxs.exe
File created	C:\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest	winsxs.exe
File created	C:\Windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll	winsxs.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240603812	winsxs.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat	winsxs.exe
File created	C:\Windows\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.policy	winsxs.exe
File opened for modification	C:\Windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll	winsxs.exe
File opened for modification	C:\Windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll	winsxs.exe
File created	C:\Windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll	winsxs.exe
File opened for modification	C:\Windows\winsxs	winsxs.exe
File created	C:\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat	winsxs.exe
File created	C:\Windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll	winsxs.exe
File opened for modification	C:\Windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll	winsxs.exe
File opened for modification	C:\Windows\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.cat	winsxs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4796	2576	260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe	81
PID 2576 wrote to memory of 4796	2576	260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe	81
PID 2576 wrote to memory of 4796	2576	260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe	81
PID 4796 wrote to memory of 4712	4796	RunApp.exe	82
PID 4796 wrote to memory of 4712	4796	RunApp.exe	82
PID 4796 wrote to memory of 4712	4796	RunApp.exe	82
PID 4712 wrote to memory of 3164	4712	cmd.exe	85
PID 4712 wrote to memory of 3164	4712	cmd.exe	85
PID 4712 wrote to memory of 3164	4712	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\260361b36b0c4f55f649b5cc86db046a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RunApp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RunApp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5091.tmp\Run.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\winsxs.exe
      winsxs.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5091.tmp\Run.bat

Filesize
70B

MD5
f6e7c255f6f4c34e4bd96d0c0db0dc70

SHA1
415dd6a4725cdcd23fcf5fc8f221dfbe9d338c11

SHA256
a8078e72dcf9adc9d73c5981604eb8904daab46bd3fd1e5912c211fdbc17e7f9

SHA512
bd958f5acc6fd63becd580c820dd7352587ea48d1a35563a88486f8758dc0a85ccad8cfc3e84f416c645222ec843677e4f962043b9332483c54ec339c272846f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RunApp.exe

Filesize
43KB

MD5
9e93d06efa02c75cf2c664692a649c57

SHA1
175e61dd61d0f91f8040cf6525f65bc342333730

SHA256
8276f2503ec9e1162a146ddc0df3498dbcabad7e95e418c2a39a6abc4b8f5d09

SHA512
6ce5b26530f187c485cff0c8f60223765d4bc6f531516afe354633a6d9f56336ec362474ac86a8c685d8c0ab9c0bfe5112c59f5a13f4b7787af7fd6b6490a438

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winsxs.exe

Filesize
642KB

MD5
8b4e819b2be53b4ef7895527591cea19

SHA1
5d51c3307331ad4a603d2b151c063be6eba9be72

SHA256
2d45ae30f8a525be4b68fc4c0dd932124918069576f89fc1b0285b0b018b4e9b

SHA512
fa2c4dc5f95e7c4a26edb89219a9734afacd32d5ab5ff212db86042c3b2618feeca479f30726b3cb06e5078ebd79d741fc3c181d847e6d05f873a830efa4b6bd

Download Submit
memory/2576-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3164-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4796-466-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4796-475-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing