7bca222ab9f77e52a9764e87516303cf8878dfe868c1a584bada081d05784da3

General

Target

261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe
Size

5.4MB
MD5

261718443e3bb3b39b89766a86475b2b
SHA1

48f1b67fed46c5359ce25c6a9d19fecb5d728dbe
SHA256

7bca222ab9f77e52a9764e87516303cf8878dfe868c1a584bada081d05784da3
SHA512

d42bf1e04458ebe2821dc53dabe3d31f08ebe0f1bca83cf438efddef2bab2d61ab73f573c5f55e2eca6c2e979b5dc92e1f2bcd8428cbe0dd462940c15f4eccf2
SSDEEP

98304:feMiViDz9xx2tbdPGPJZX+p5I9XayBZJN/pCDRU0V1vXMOaRzaWIizqB7sINrB7:hRi+JIp5I9XrBxR631BceKYwINrx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

7za.exeSetup.exe

pid process

872 7za.exe
3064 Setup.exe

pid	process
872	7za.exe
3064	Setup.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Setup.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings	261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Setup.exe

pid process

3064 Setup.exe
3064 Setup.exe

pid	process
3064	Setup.exe
3064	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exeWScript.execmd.exe

description	pid	process	target process
PID 4840 wrote to memory of 4700	4840	261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe	WScript.exe
PID 4840 wrote to memory of 4700	4840	261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe	WScript.exe
PID 4840 wrote to memory of 4700	4840	261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe	WScript.exe
PID 4700 wrote to memory of 3100	4700	WScript.exe	cmd.exe
PID 4700 wrote to memory of 3100	4700	WScript.exe	cmd.exe
PID 4700 wrote to memory of 3100	4700	WScript.exe	cmd.exe
PID 3100 wrote to memory of 872	3100	cmd.exe	7za.exe
PID 3100 wrote to memory of 872	3100	cmd.exe	7za.exe
PID 3100 wrote to memory of 872	3100	cmd.exe	7za.exe
PID 3100 wrote to memory of 3064	3100	cmd.exe	Setup.exe
PID 3100 wrote to memory of 3064	3100	cmd.exe	Setup.exe
PID 3100 wrote to memory of 3064	3100	cmd.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\261718443e3bb3b39b89766a86475b2b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BANDEAU.jpg

Filesize
21KB

MD5
523c100a6fec6eb73c10a705ba1a232c

SHA1
c6d6246e3a419033e405f057f38dcfec57eae628

SHA256
73347a81d34cee029012392a51fdc62e3dd53eb1a1d0f42b62d0f5080058cd68

SHA512
c4c7b0ea9aeff0dab543bda19862a078abce61fcaa1cf3a6c815dd52af34f31cdfc5042525ef02a908a9ebdb7c734c04a068c9593eaabdcee34d9aef38a2ece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
796KB

MD5
3f174085d55bd3029301ef3cfba2c11d

SHA1
ac4095dca8a1e65e7ba36421a5eac32c54e49aae

SHA256
05cf08cf1cd7b9232e3b68ee722e7f1e21befe598f5400c46d486f7c88b0fdba

SHA512
74d2ba3f0544578275daaf290711d03b5b4145d8f8dfea77aac371077d26c97465764a2c4b86f4c13cdf8213ca12f6fe452ce40cdb4396c174f201fb5da2d9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
5.0MB

MD5
bd35eb58ae8dd713776659af40cef34a

SHA1
07d16742b95460333c29ad79cd0f2ee82a351a32

SHA256
6d7ac8302194e51c741ed6b2fd07780e957e9300a1d7e52eede8996dceb7d99a

SHA512
0a118125a398ecbb544bdcf3b642e29390a0e22f12d782cefc636955d4cc6a61dc2224d9fe5bf34148608ed3af367a3327b071ff96d1d682c627da43a94040a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
376B

MD5
8e43dcf6964a7c171a6d78722ea4b790

SHA1
140bfed4b00aa4770089061413e89a6343957603

SHA256
49a49886a4dcf7aa2356a818e8ee52d59b44ea372ae3645b38e68c3b22aaf677

SHA512
d5967b3e26092caa10d32e1ba602eef505980b0e0f9de3e4860e01872ac3bbcf26ce07f9670289f7b72196e3007862872b6a7b4b634f41a27c0628232c9b06b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eula.html

Filesize
16KB

MD5
2dc5eabf6bcfc144ec704ac1f989a5ec

SHA1
b65899aca1833bca7530cc559bff6a5f540d8277

SHA256
f16da6e85a5651698ecf9d277d101b74170a0f35e549f1272d7c978d06c9abb9

SHA512
6a11c0f4bfa7951d223400cc548b7fa3c7a6bd5e941a452dbc094c3695162c5f63324ca6a5c84fb2180f5219cf4f0062ca7a63845f6253e22c7b73d49c824004

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads