bd966425c165a38e0f7d39cb433995a025915e4ed783f72e13dce8179c679f60

General

Target

2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe
Size

5.1MB
MD5

2fc191768ec1fcd0c44ad515eba02785
SHA1

d7fac412a7fcfbdca078ebb1bc766cfea7330bf1
SHA256

bd966425c165a38e0f7d39cb433995a025915e4ed783f72e13dce8179c679f60
SHA512

a4e0f1c124d6180dbf605f5f6933f47701d208b3867d3953863f1647353dcce5aa2c70cc11cafe91084f154be27332f4d55dbf86fa4a55426b84749d3c8c4dc9
SSDEEP

98304:DeMoBWz/XJWOygAqSnA4YDf+ONRXQ+TBMb5ZreQvyYmRshs4p:lWy/XJWOyRqC1cfBNRXQUMb5ZreSyfuN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4596	7za.exe
444	Setup.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002345b-40.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
444	Setup.exe
444	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1924	4176	2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe	85
PID 4176 wrote to memory of 1924	4176	2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe	85
PID 4176 wrote to memory of 1924	4176	2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe	85
PID 1924 wrote to memory of 3308	1924	WScript.exe	86
PID 1924 wrote to memory of 3308	1924	WScript.exe	86
PID 1924 wrote to memory of 3308	1924	WScript.exe	86
PID 3308 wrote to memory of 4596	3308	cmd.exe	88
PID 3308 wrote to memory of 4596	3308	cmd.exe	88
PID 3308 wrote to memory of 4596	3308	cmd.exe	88
PID 3308 wrote to memory of 444	3308	cmd.exe	89
PID 3308 wrote to memory of 444	3308	cmd.exe	89
PID 3308 wrote to memory of 444	3308	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fc191768ec1fcd0c44ad515eba02785_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BANDEAU.jpg

Filesize
21KB

MD5
523c100a6fec6eb73c10a705ba1a232c

SHA1
c6d6246e3a419033e405f057f38dcfec57eae628

SHA256
73347a81d34cee029012392a51fdc62e3dd53eb1a1d0f42b62d0f5080058cd68

SHA512
c4c7b0ea9aeff0dab543bda19862a078abce61fcaa1cf3a6c815dd52af34f31cdfc5042525ef02a908a9ebdb7c734c04a068c9593eaabdcee34d9aef38a2ece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
796KB

MD5
34a3a483ce35669f9a6aa193d1b02a7e

SHA1
cd8a0ad8029b6170c6e2d7a350bae96edefea596

SHA256
33f1d28d8ae82d4479f39affb4b91293c06af52c1bebebda9ecfecc4eaa37923

SHA512
5217fdf371bdc062bf8d3ad4f67baed3fe2f8fb26965935f2168006ba24a37361ba7703ac6799459ba40b4463db0cc6b81e9935c11b594915553a699eff2ee23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
4.6MB

MD5
e5f2a0b8625a622c7fd8663f82f1f701

SHA1
3a0d4a5bb826360829225b30aa2f78a15676268c

SHA256
2e1b3e531127bf1ed4df84746894b09e2bb05d26721ea138c971c46f5a302816

SHA512
77c11fa98ed20aa3b477ebcb680da6f4ceb03bb1547fd9c6cfed81214657acad974ddcea8287206c9e4c44df37e53b93c124bc4e7ad8476d67dd4b4bc42d6d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
360B

MD5
8d20560e2a5d85bff57e363281d590cf

SHA1
627245463fbe5dcef39a805219f9b87c853c5709

SHA256
a4bc8ef6e49c89c207d3908081c2422fe660a0f901cf87062a97141690980181

SHA512
e54c8559a4c3c391c883c2ce01564d792937c7d623bf16bad07bce1dcff75356d0ebf6464488b3018d47878a3ebbfda02bcc2fd37944885b83589deaafe13f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\eula.html

Filesize
16KB

MD5
2dc5eabf6bcfc144ec704ac1f989a5ec

SHA1
b65899aca1833bca7530cc559bff6a5f540d8277

SHA256
f16da6e85a5651698ecf9d277d101b74170a0f35e549f1272d7c978d06c9abb9

SHA512
6a11c0f4bfa7951d223400cc548b7fa3c7a6bd5e941a452dbc094c3695162c5f63324ca6a5c84fb2180f5219cf4f0062ca7a63845f6253e22c7b73d49c824004

Download Submit

Analysis

Sharing