2776de2bba5b8d10376c72777d990cfb42e90d1634f55813b4eee24f949e9ace

General

Target

27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe
Size

145KB
MD5

27005c3adf9f599b4203ed2252baf962
SHA1

d2ce5c972982fb4815b33a6f7c0a286360583e0a
SHA256

2776de2bba5b8d10376c72777d990cfb42e90d1634f55813b4eee24f949e9ace
SHA512

212ec55e32ebbdae156f0f501b58e7c7f64637afee795cdfa957150f66041fe62afd32fbd9af33a57fcc4da9d4ac5d1a16bded1623c6ccd24c312acdb3861468
SSDEEP

3072:QjObJeHVMZpwbPjsFh392dvjDJx8PMVyyUh730w:QiIMZpkPSh392tXJukVyymEw

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	opeA132.exe

Executes dropped EXE 3 IoCs

pid	Process
2916	ope9FAB.exe
3896	opeA132.exe
2432	ggao.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ggao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3896	opeA132.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	opeA132.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3896	opeA132.exe
2432	ggao.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3896	opeA132.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3896	opeA132.exe
3896	opeA132.exe
3896	opeA132.exe
2432	ggao.exe
2432	ggao.exe
2432	ggao.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2916	2872	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe	84
PID 2872 wrote to memory of 2916	2872	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe	84
PID 2872 wrote to memory of 2916	2872	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe	84
PID 2872 wrote to memory of 3896	2872	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe	85
PID 2872 wrote to memory of 3896	2872	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe	85
PID 2872 wrote to memory of 3896	2872	27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe	85
PID 3896 wrote to memory of 2432	3896	opeA132.exe	86
PID 3896 wrote to memory of 2432	3896	opeA132.exe	86
PID 3896 wrote to memory of 2432	3896	opeA132.exe	86

C:\Users\Admin\AppData\Local\Temp\27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27005c3adf9f599b4203ed2252baf962_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\ope9FAB.exe
  "C:\Users\Admin\AppData\Local\Temp\ope9FAB.exe"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\opeA132.exe
  "C:\Users\Admin\AppData\Local\Temp\opeA132.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\ggao.exe
    "C:\Users\Admin\AppData\Local\Temp\ggao.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ggao.exe

Filesize
148KB

MD5
7b4bbb02928e8e79010d82c87298c87d

SHA1
d268a4218ab1ef18f60184efa2085c2443933ebf

SHA256
5bc47ba9c4a6e2086942a61d4f3f4a81e85d563dd4d844887441edb0e13b1516

SHA512
0b7a4f5fd273669565f13daaca19fd36a8f6c30c3c7d951246f96fd4656829efe3d23ff615848c6e4ea0bbb7a3c995a7f9c5c567949e06f889b8e06eb8867a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope9FAB.exe

Filesize
43KB

MD5
018487e9248bfdda4321c6f0aa23deba

SHA1
989278a32c574aa6a1b6662712e5a0d08d1b9e85

SHA256
c12b9feadc5f7957472c6d3c1d383588c0f60a35cadfcebd48d812a15bf6eaf5

SHA512
752f4b61cad3058aaf1a137967d058f569a02de154c5d96eb1c9cb83ffc9ab4c505e2636ba67546789aed1ba5cf2882469091033573a0eaaf3590e203a57d5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\opeA132.exe

Filesize
95KB

MD5
1afb677279651fb92c716713244e108d

SHA1
b21b0733219d9ad2610344671670ec33fa80d3f2

SHA256
7c4182503c7219d80b0b1a486cd3d729f07c6cd48a2224afe2926258789b35d1

SHA512
b233f2a9bf56aef97b5413c3f37f6ff08465661bdc4752ef489628012894e6449598f41c08d3741097c0f3af01639cbb44ee8bd045851aa0f820a2f9e667bb9a

Download Submit
memory/2872-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2872-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2916-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3896-23-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3896-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3896-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3896-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads