f08d3fc42938ef947f8d07a5bd99ac45f8e387585b4c741e96c33809c6cdd437

General

Target

323af91c806601de87841e05b00b63cf_JaffaCakes118.exe
Size

374KB
MD5

323af91c806601de87841e05b00b63cf
SHA1

b7c5a012a60381f89e069ec16e689b4e69b9e91d
SHA256

f08d3fc42938ef947f8d07a5bd99ac45f8e387585b4c741e96c33809c6cdd437
SHA512

8388bfdc8bdb56442e6803b5027cc6e06e2a1db7dc7748fd76e84b8d5cafdbaec7b36725d8de1501fcb353535bd3661ca61affb2ec0a8373cdad597c5f660128
SSDEEP

6144:ilEdB/6CS4V0T/IomwEe1VO49EYFzDCpWZ5m7UHxhhtmXo5G6pcoHkbdEx:5xtaTgom/LYfZ5mIHvg8cxbCx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3932	wildgirl.jpg.jpg.exe
2192	7za.exe
2936	ic2.exe

Loads dropped DLL 1 IoCs

pid	Process
3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3932	wildgirl.jpg.jpg.exe
3932	wildgirl.jpg.jpg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3932	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	83
PID 3784 wrote to memory of 3932	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	83
PID 3784 wrote to memory of 3932	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	83
PID 3784 wrote to memory of 2192	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	85
PID 3784 wrote to memory of 2192	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	85
PID 3784 wrote to memory of 2192	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	85
PID 3784 wrote to memory of 2936	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	87
PID 3784 wrote to memory of 2936	3784	323af91c806601de87841e05b00b63cf_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\323af91c806601de87841e05b00b63cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\323af91c806601de87841e05b00b63cf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\wildgirl.jpg.jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\wildgirl.jpg.jpg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\ic2.exe
  "C:\Users\Admin\AppData\Local\Temp\ic2.exe"
  2⤵
  - Executes dropped EXE
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
2f16996ace819126ccc84af270ab16af

SHA1
d6ddfca44d7de85559ee6497b9c82bb8842aed93

SHA256
0b34ac2157b9d6ccdf2af9465d90ca412abb02960b197650d9a14f264f1e7e33

SHA512
95d118838438723bf61c36eb0008ff9d57ba96b95d2dc749e0876f8d93c025bf617a07f5127a14b6ce81767bf9a704e1bd7ad4b31b54b3337f231001658a1a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic2.exe

Filesize
18KB

MD5
7a544f406514297de2f84031fe60d4dc

SHA1
4fb70c9342a6e302ddbbc1f62d6eb590c47dcdf0

SHA256
1369b25194558cb2c4f332a2282576c42ac2b71dbb7ba98850121cd85a828f74

SHA512
86a281986e470ea1b416346fc779854a7a2f54ea0d789e22f100998e508702741d9907708999066acecc5c1312bb68aa6420b2b9d61d539c3f9f2859f7b87c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDC97.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\wildgirl.jpg.jpg.exe

Filesize
141KB

MD5
c0e0937bd13a9b5a2f3b56b13e597b17

SHA1
9ab23e3540a699a8338060f5214bb0c7ea06dde2

SHA256
954cdfab6e9427bcc75d6505b4a68113544046ff6c343b5bb71951f2647ae9e5

SHA512
b014d450996a10befc660e3e12496d000d2393c3138a6ad1d1fbb9e18b57333b892c94d55e812cc1e7c3a2808e837da5fc5aaf8ecfbe81f8a9b0a195aa3e95fb

Download Submit
memory/2936-28-0x000000001B110000-0x000000001B1B6000-memory.dmp

Filesize
664KB

Download
memory/2936-27-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2936-29-0x000000001B690000-0x000000001BB5E000-memory.dmp

Filesize
4.8MB

Download
memory/2936-30-0x000000001BC60000-0x000000001BCFC000-memory.dmp

Filesize
624KB

Download
memory/2936-31-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2936-32-0x000000001BF10000-0x000000001BF5C000-memory.dmp

Filesize
304KB

Download
memory/2936-33-0x000000001BFC0000-0x000000001C020000-memory.dmp

Filesize
384KB

Download
memory/2936-37-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing