eb2bf143b7eb3cf09e17af4946aec7baf1c7da5ae6f39d1f8b72ff65a5633762

General

Target

30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.exe
Size

5.7MB
MD5

30b57f1da8d368cdecd204ecff216cc7
SHA1

e04aefa6a163b6b2516bc8a1f1c6e5023627a996
SHA256

eb2bf143b7eb3cf09e17af4946aec7baf1c7da5ae6f39d1f8b72ff65a5633762
SHA512

b14195acf9d61d5d80eae3a3e0773c46f434667841f2f38cb896d75725511cb267b4ef80c8e0be9558b2f2a7c86ece47265c3f5daae7b4650955320701c3b5ec
SSDEEP

98304:yL4cwhKaZm98WL2zlbqSNzkSwFCSXMcKGXXxItI/ITPAJhLhHGTsPrCyc9i6Mlgr:4EhKapXbHqJXsOE4XhOUkinlgUGr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	4021.tmp

Deletes itself 1 IoCs

pid	Process
4808	4021.tmp

Executes dropped EXE 1 IoCs

pid	Process
4808	4021.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	4021.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1772	WINWORD.EXE
1772	WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4808	2224	30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.exe	89
PID 2224 wrote to memory of 4808	2224	30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.exe	89
PID 2224 wrote to memory of 4808	2224	30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.exe	89
PID 4808 wrote to memory of 1772	4808	4021.tmp	93
PID 4808 wrote to memory of 1772	4808	4021.tmp	93

C:\Users\Admin\AppData\Local\Temp\30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\4021.tmp
  "C:\Users\Admin\AppData\Local\Temp\4021.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,18267267250369716772,14567143188126594249,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30b57f1da8d368cdecd204ecff216cc7_JaffaCakes118.doc

Filesize
16KB

MD5
9e446d33e546c8756f04bf31c77f7cc7

SHA1
3e153d2a879b7d83b7f0d9f5f3ac0d5ffcc2bcbd

SHA256
a5cd55b45db10ac6b1e97319f6998e1b4edb3ccc29fb66be10d7ac85a9a91510

SHA512
4fd1b3849695c84a62f3a6de9d2e64f8e33c57be9ff57abb2cc4f34d0d5c11d65e083fa397490ac969892207f2ad70132eaf8643a54701e6854c0805e7b53547

Download Submit
C:\Users\Admin\AppData\Local\Temp\4021.tmp

Filesize
5.7MB

MD5
40cbdb52bfcc9921c6f3276b8fe19d01

SHA1
5544ce4d7f9ac5adc25c64ff5c6fb45b1832bd8a

SHA256
d49feac9114dd66f3fcb9d6759c202abcbd492145e3e420c12e68656bb53fc4c

SHA512
2bdeef9c88d6733dcad8453cbd4988b939149322e577e6b1096f267dd6d83953d0766429d6028a54abd47c5ebd881ce6528cd2033806e83be533716d5b9db0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD85F0.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
88463c72bfc3181610a91cd2bbf587bd

SHA1
eb8f14275d4b49c185c0dc4d8f5c7221d0b2125e

SHA256
d7b62d3ed7ba5f0d3cc966a3461863a94c17e7743a4b6b5f97695b02ffce21bf

SHA512
baff2689ba3af87d5bdcd6b14b371db0ad9364b7160b56f1f4db26616c3a1d0551abc99791204b1928706f6d13f8ed3304a25135eb196f4ca9669440da9b741b

Download Submit
memory/1772-27-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-30-0x00007FFE07200000-0x00007FFE07210000-memory.dmp

Filesize
64KB

Download
memory/1772-12-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-20-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-21-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-19-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-18-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-17-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-23-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-24-0x00007FFE07200000-0x00007FFE07210000-memory.dmp

Filesize
64KB

Download
memory/1772-22-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-25-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-15-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-29-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-28-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-16-0x00007FFE496AD000-0x00007FFE496AE000-memory.dmp

Filesize
4KB

Download
memory/1772-34-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-33-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-32-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-31-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-26-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-14-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-13-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-166-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download
memory/1772-186-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-188-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-189-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-187-0x00007FFE09690000-0x00007FFE096A0000-memory.dmp

Filesize
64KB

Download
memory/1772-190-0x00007FFE49610000-0x00007FFE49805000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads