e0885c94e24bc683e18b6b04a07fb042efbe263170541a5d90cf8f20fe5e832e

General

Target

27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
Size

488KB
MD5

27fcf6f507fda2e72dd54fc627f79e37
SHA1

8234af82ded7979b843bc3ac2abd5b8c36fa5bac
SHA256

e0885c94e24bc683e18b6b04a07fb042efbe263170541a5d90cf8f20fe5e832e
SHA512

f25d801ed236dc3d3879af667b7a3058d8baee0a45bac2ba0aad6c80bbc7e3359a63a860cf1ce19547f93cfc751a772c2b4574e0e54f7f924e63b21d52b6b1a4
SSDEEP

12288:W9tTbLysKNy0j/+F5wvuztiBdp2sYY2jMMnMMMMM1f:W9RbLyry0jGcdTYhMMnMMMMMR

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
924	aAPpkloqjJeTsTO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aAPpkloqjJeTsTO.exe = "C:\\ProgramData\\aAPpkloqjJeTsTO.exe"	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Internet Explorer\Download	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe
924	aAPpkloqjJeTsTO.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 924	2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe	84
PID 2716 wrote to memory of 924	2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe	84
PID 2716 wrote to memory of 924	2716	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe	84
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56
PID 924 wrote to memory of 3540	924	aAPpkloqjJeTsTO.exe	56

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\27fcf6f507fda2e72dd54fc627f79e37_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2716
- - C:\ProgramData\aAPpkloqjJeTsTO.exe
    "C:\ProgramData\aAPpkloqjJeTsTO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OqrYLqeioUUyyfX.dll

Filesize
440KB

MD5
e0c25a604c481e6bbafcc2c1d3aa113b

SHA1
adc91eb078c52c9237cee5b2fca0efd609d402b4

SHA256
b96f6f4c8ba226b128c828b92e41d6d6b4f095d63919b0a3edd69d712cfad543

SHA512
ec59d91bd555b51b31424a392e8796b478e83a0e7528ffec32a08dda42edfcb44795379fa0db8b0d2d83a7c5d9260a708065c833b2f653b33328a2c946fc6b04

Download Submit
C:\ProgramData\aAPpkloqjJeTsTO.exe

Filesize
488KB

MD5
27fcf6f507fda2e72dd54fc627f79e37

SHA1
8234af82ded7979b843bc3ac2abd5b8c36fa5bac

SHA256
e0885c94e24bc683e18b6b04a07fb042efbe263170541a5d90cf8f20fe5e832e

SHA512
f25d801ed236dc3d3879af667b7a3058d8baee0a45bac2ba0aad6c80bbc7e3359a63a860cf1ce19547f93cfc751a772c2b4574e0e54f7f924e63b21d52b6b1a4

Download Submit
memory/924-13-0x0000000014000000-0x000000001416F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-0-0x0000000002170000-0x00000000021E3000-memory.dmp

Filesize
460KB

Download
memory/2716-1-0x0000000014000000-0x000000001407A000-memory.dmp

Filesize
488KB

Download
memory/2716-15-0x0000000014000000-0x000000001416F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-16-0x0000000014000000-0x000000001407A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads