03cae0f3d5be8aa60736ddb3def87cb1e273510eddcf69c48a220f628d6804f8

General

Target

2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
Size

27KB
MD5

2710d373c3fef30bc44594eb96b4e871
SHA1

d71b889c7e76d552baccf92d26f3a082f4336298
SHA256

03cae0f3d5be8aa60736ddb3def87cb1e273510eddcf69c48a220f628d6804f8
SHA512

7d5ebcaea212491f0d8d7aec03166250839253ef4c99bb99316b16a5df94617e32a6a66a7807af9783b4e25d79ce653abb7833cf7df11d324118135d111cfabd
SSDEEP

768:ZmC5luW1li8Pd4dkGy/javV4sAZTom0sjtn4Lgq:Pq862+vqN10sjtn4Eq

Score

8^/10

persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	~e583be1.tmp

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4344-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4344-5-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4344-15-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3244	taskkill.exe
1748	taskkill.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
4756	~e583be1.tmp
4756	~e583be1.tmp
4756	~e583be1.tmp
4756	~e583be1.tmp
4756	~e583be1.tmp
4756	~e583be1.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3244	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	92
PID 4344 wrote to memory of 3244	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	92
PID 4344 wrote to memory of 3244	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	92
PID 4344 wrote to memory of 1748	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	95
PID 4344 wrote to memory of 1748	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	95
PID 4344 wrote to memory of 1748	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	95
PID 4344 wrote to memory of 4756	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	101
PID 4344 wrote to memory of 4756	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	101
PID 4344 wrote to memory of 4756	4344	2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2710d373c3fef30bc44594eb96b4e871_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\~e583be1.tmp
  C:\Users\Admin\AppData\Local\Temp\~e583be1.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,12101950716832706950,8384629015980369538,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~e583be1.tmp

Filesize
6KB

MD5
1ba9e6a8231bd5b3fa973e49bdbc4dbe

SHA1
946df9a5475ea75aa13b9ca5669e768e76874395

SHA256
080457b782373eddea649f01cc23a322c90996cbe5f8da48cacdeb5e1d3c75a6

SHA512
0ba4038ca6496aa17f0c33d7918f2ca08906fe9a202d689c5df83c49d4a3a7b7db794369639fc6aad6632dd3e966846cbd64a903125971dfd3f35a5e11438680

Download Submit
memory/4344-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4344-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4344-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads