0690017b4af7a1c3aa237e5902d21e38f91d68f2d9036c191e4756cd66b762cc

General

Target

35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
Size

631KB
MD5

35918a863217dfc0451e2ba7d26d6380
SHA1

5bfdd0fb5c41e177a05daba0285f1ec69d4e1271
SHA256

0690017b4af7a1c3aa237e5902d21e38f91d68f2d9036c191e4756cd66b762cc
SHA512

b1781779f4b0469f44b7562858fdff1cdd624a04235451cbe4e77ac857d60e28bbfd7178168ba021633a0af130b7ff2c307585ea651eda34778f86d853defb8c
SSDEEP

12288:UXFz23RuYQXkPtaqZ8bDS59aeqw+kQEaxol19VofYZuYg:/gr0PtaG59aaBQgl13rrg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2772	СпмцйЛьЕша.exe
4288	СпмцйЛьЕша.exe
3132	СпмцйЛьЕша.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	3132	СпмцйЛьЕша.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
520	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
2772	СпмцйЛьЕша.exe
4288	СпмцйЛьЕша.exe
3132	СпмцйЛьЕша.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 2772	520	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	85
PID 520 wrote to memory of 2772	520	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	85
PID 520 wrote to memory of 2772	520	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	85
PID 2772 wrote to memory of 4288	2772	СпмцйЛьЕша.exe	86
PID 2772 wrote to memory of 4288	2772	СпмцйЛьЕша.exe	86
PID 2772 wrote to memory of 4288	2772	СпмцйЛьЕша.exe	86
PID 4288 wrote to memory of 3952	4288	СпмцйЛьЕша.exe	87
PID 4288 wrote to memory of 3952	4288	СпмцйЛьЕша.exe	87
PID 4288 wrote to memory of 3952	4288	СпмцйЛьЕша.exe	87
PID 4288 wrote to memory of 3952	4288	СпмцйЛьЕша.exe	87
PID 3132 wrote to memory of 3700	3132	СпмцйЛьЕша.exe	92
PID 3132 wrote to memory of 3700	3132	СпмцйЛьЕша.exe	92
PID 3132 wrote to memory of 3700	3132	СпмцйЛьЕша.exe	92
PID 3132 wrote to memory of 3700	3132	СпмцйЛьЕша.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520
- C:\ProgramData\СпмцйЛьЕша.exe
  "C:\ProgramData\СпмцйЛьЕша.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
    C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3952

C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\СпмцйЛьЕша.exe

Filesize
631KB

MD5
35918a863217dfc0451e2ba7d26d6380

SHA1
5bfdd0fb5c41e177a05daba0285f1ec69d4e1271

SHA256
0690017b4af7a1c3aa237e5902d21e38f91d68f2d9036c191e4756cd66b762cc

SHA512
b1781779f4b0469f44b7562858fdff1cdd624a04235451cbe4e77ac857d60e28bbfd7178168ba021633a0af130b7ff2c307585ea651eda34778f86d853defb8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3419463127-3903270268-2580331543-1000\0f5007522459c86e95ffcc62f32308f1_da80f27c-12da-4232-b66b-1e1207d248ba

Filesize
1KB

MD5
bbe25c2da41e6d8dfa7ccfb8faa77e83

SHA1
a6bdb7898ca04678aef607485e272e8e65528c9b

SHA256
8727015fc15e0d68b2bc10f6c1667893721c94f2a72368995d95e3390e88933b

SHA512
8c4144cfcbfa2cd0df7322d0e1202b164e8cbccd1ac16b6719f41116f0022d481cc1e2dc8c67a18ce2641d426b6fbf22cdb64d54cbd0db093f099040cbbe1f06

Download Submit
memory/2772-11-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/2772-13-0x0000000002210000-0x000000000223D000-memory.dmp

Filesize
180KB

Download
memory/2772-25-0x0000000002210000-0x000000000223D000-memory.dmp

Filesize
180KB

Download
memory/3700-31-0x00000268BA2D0000-0x00000268BA2ED000-memory.dmp

Filesize
116KB

Download
memory/3952-23-0x000001A8E7AA0000-0x000001A8E7ABD000-memory.dmp

Filesize
116KB

Download
memory/3952-24-0x000001A8E7AA0000-0x000001A8E7ABD000-memory.dmp

Filesize
116KB

Download
memory/4288-20-0x00000000028A0000-0x00000000028CD000-memory.dmp

Filesize
180KB

Download
memory/4288-22-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4288-21-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/4288-26-0x00000000028A0000-0x00000000028CD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing