3305d0c6b2a0434823acd2c46974f1f1919272ec89d4e20ef09e650d4ba92272

General

Target

314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe
Size

144KB
MD5

314fa4bbc486176e6b822143c681aa28
SHA1

a00c52c5be0250de933e1b3308766588e2b7d548
SHA256

3305d0c6b2a0434823acd2c46974f1f1919272ec89d4e20ef09e650d4ba92272
SHA512

3527dbc1aeb00effc7cc9e9fff43708cb03a10171a5bf57f916f3e2fda646eafc516affb168a3cc24ce2c9bdae23e5fcb1e5c9a6f0dc03d5114dd8f07ed452dd
SSDEEP

1536:9xXWjgnouy8p7XTTFz0xG4fEZ7zkh+FkLnXxffMv3B8AD9ww5kWi1c:9xXWcouthThIsLz2+yrp0v3B8SvkU

Score

7^/10

execution upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3636	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4004-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4004-12-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4036	shutdown.exe
Token: SeRemoteShutdownPrivilege	4036	shutdown.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3636	4004	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	84
PID 4004 wrote to memory of 3636	4004	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	84
PID 4004 wrote to memory of 3636	4004	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	84
PID 3636 wrote to memory of 1360	3636	b2e.exe	85
PID 3636 wrote to memory of 1360	3636	b2e.exe	85
PID 3636 wrote to memory of 1360	3636	b2e.exe	85
PID 1360 wrote to memory of 4036	1360	cmd.exe	88
PID 1360 wrote to memory of 4036	1360	cmd.exe	88
PID 1360 wrote to memory of 4036	1360	cmd.exe	88
PID 1360 wrote to memory of 1824	1360	cmd.exe	90
PID 1360 wrote to memory of 1824	1360	cmd.exe	90
PID 1360 wrote to memory of 1824	1360	cmd.exe	90
PID 3636 wrote to memory of 2880	3636	b2e.exe	91
PID 3636 wrote to memory of 2880	3636	b2e.exe	91
PID 3636 wrote to memory of 2880	3636	b2e.exe	91

C:\Users\Admin\AppData\Local\Temp\314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\A141.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A141.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A141.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A354.tmp\batchfile.bat" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown.exe -r -t 172800
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Tempmes.js"
      4⤵
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A141.tmp\b2e.exe

Filesize
500KB

MD5
59c2e19384bae6663cd6f27087d74f8c

SHA1
eec5c6bb13857f19d6dfc04e1df118a522415742

SHA256
87b18e8349c8f4c1d8bd7dd66438d927540b1350752bb72abfed0e0feee52daf

SHA512
38717ae4c8c33d67872b8fb813865cadcd2d169e61691d4cffff86dd08372e9609b68cb806cafd388671847b3ffd87d296a5318b103154ae86f686aa75fd98e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A354.tmp\batchfile.bat

Filesize
492KB

MD5
671990fa199a285bd5d955f0991bf623

SHA1
d98e1a2fcf89e577f7f3b53ef411413aae96d343

SHA256
a2ac20aa614f642a7cf82ae85e54ad67c5aed9acbe5905805a5f473720a55f70

SHA512
2951655f3ef48d31d16da819260424acfc8feb4dd8145bbd206ebbda7f866149c1c400f65d54ff9a4838b22678ec02e7737c11a2aa36594270773817bdf52c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
19ec16b266b0c1a01bdcd3f37180a541

SHA1
c9e71072184661ee7ad7a5150c2dfd0f538f5ca4

SHA256
cdb2d9a9a553381b4cfd82633265397211312e5f7491d8f00a24b95d65f81ce7

SHA512
64fff5bd69db2cced445bb6260b2296c176ad2b7634929073f53da3942b197b9f42db38c832f581e3c67236d372711c158b5a607ff52f659ea8487467fb2f203

Download Submit
C:\Users\Admin\AppData\Local\Tempmes.js

Filesize
587B

MD5
40f08f0b20e53ce9b9788aa3e531fbae

SHA1
55980bd8521128682766bdf25e0936cb574f867f

SHA256
0b5d8eb463cb9353a0c7ccdfa7a73f814d31e4635bf3519db7f569bb87870f84

SHA512
171dcf0cac0e0a2caf9e878d2d54bcd6070163721a704ed041211473129874a89f89aaab8134e9c68e8cf0d40397d833ab61d0ce4e0533bd6b816fcdbe689f09

Download Submit
memory/3636-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3636-32-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4004-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4004-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing