c4b7722865cc05b8c17239f9ba2f02a6c2caf1345e8bab4e5e977ebe6e23c03b

General

Target

2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe
Size

244KB
MD5

2cfebc2c5225487b06055c48b2f31fc7
SHA1

b03fc98686e47fee02f3b1a241e86edc3399d097
SHA256

c4b7722865cc05b8c17239f9ba2f02a6c2caf1345e8bab4e5e977ebe6e23c03b
SHA512

5385dc60358f851e401305df7767a54860cd87eb57332d75f9eb5ae69cef3981972d90cc10616beb8d576fa0ff2d5f3d150b178e951e8e7fc7bad7a85475235e
SSDEEP

3072:tcTnbdeCCgAXNeJswVhfFaqgt/PG44t4CAUc12dcqCksRp9IILZ9U652V4l4aAeC:2NeCCgAXNeJswVVFaqC/PD4+T5jUEFP

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	install(2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	install(2).exe
3280	file.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe"	install(2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe"	install(2).exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\braviax.exe	install(2).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2348	780	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe	84
PID 780 wrote to memory of 2348	780	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe	84
PID 780 wrote to memory of 2348	780	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe	84
PID 780 wrote to memory of 3280	780	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe	85
PID 780 wrote to memory of 3280	780	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe	85
PID 780 wrote to memory of 3280	780	2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe	85
PID 2348 wrote to memory of 3180	2348	install(2).exe	87
PID 2348 wrote to memory of 3180	2348	install(2).exe	87
PID 2348 wrote to memory of 3180	2348	install(2).exe	87

C:\Users\Admin\AppData\Local\Temp\2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cfebc2c5225487b06055c48b2f31fc7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\install(2).exe
  "C:\Users\Admin\AppData\Local\Temp\install(2).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
    3⤵
    PID:3180
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
158B

MD5
ed3a20d62bc63363839626e18b258c1e

SHA1
5f20481cbaa83c14c26f8e6216c316d1752e04fa

SHA256
2800208a6747203dedae25217b74bcd0b91d82ccb63208c98217855277204e4e

SHA512
e09fc626dd4895c47b9ee444c7deae41e82cade581d0fba4ea35b09392808e7c5cc1853c26861b3a598d120cd47a1f20964d03018f84fe4e58754fe2028439d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
55KB

MD5
a301e7182bacdeb89fbd965d88a1919a

SHA1
7f10f2810d66e0eedd06dcafb8391116ce8d6d48

SHA256
c78d96669a648dfd7bd6303006dffd600d78e21840c92b9bd1b8faddf85365cc

SHA512
b0b6a61cc7c4e3741761e171c687d7f90f3a7efad202fa1cc8d8643f6dda5ebc05a6686bf7f50fc04b9ca7145ae4b434651e1ebd24788f68de4a437593494ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\install(2).exe

Filesize
41KB

MD5
a72f84263911c3c7fd241e7bacfd100e

SHA1
4632c06a2061233906fb524a8663b4bb8e3c122e

SHA256
5efd6247ef5e913aee2bd48bb9f0aec0ee541b78d06b756f2a6c1c7a672bc908

SHA512
f5d3d0fe4f8377fad068c7f864e5869291e8cd5d30359553aced839f75adce52788ffbc864202160b690197a64981e0dc53f50d49214a41a354ac45bb2746ad1

Download Submit
memory/780-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2348-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2348-24-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/3280-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3280-25-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/3280-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads