24b367fbfb01268cd2d04020562ad7d86b381bd67c00661c1b0a608d0bf8f7f5

General

Target

366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe
Size

1.3MB
MD5

366695391a81f369fbfc02db1b56ba8d
SHA1

622e301f0fe40defa6f61e6da6b72f85268d91ac
SHA256

24b367fbfb01268cd2d04020562ad7d86b381bd67c00661c1b0a608d0bf8f7f5
SHA512

e8a4c3adbb0f998cefde55a78a1fb059285fa557956c22f3ebab0f6945c1cca8e77b6622fac914db258d4c701b2cc9a0e99111951a8095500df8e1effe54b20f
SSDEEP

24576:Q3nZqfbiADv6p7Zr6rt+UADi9fUC00zBfb53Q3pofcCeuHdlQ1lag/EdjFc:QSipFCtWTNG5g5okvuMIG

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PHOTO.EXE366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	PHOTO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	2.exe

Executes dropped EXE 3 IoCs

Processes:

2.exeCCLEANER.EXEPHOTO.EXE

pid process

944 2.exe
4352 CCLEANER.EXE
2476 PHOTO.EXE

pid	process
944	2.exe
4352	CCLEANER.EXE
2476	PHOTO.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe	upx
behavioral2/memory/944-9-0x0000000000400000-0x00000000006D4000-memory.dmp	upx
behavioral2/memory/944-30-0x0000000000400000-0x00000000006D4000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

PHOTO.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings PHOTO.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

3980 mspaint.exe
3980 mspaint.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mspaint.exe

pid process

3980 mspaint.exe
3980 mspaint.exe
3980 mspaint.exe
3980 mspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	PHOTO.EXE

pid	process
3980	mspaint.exe
3980	mspaint.exe

pid	process
3980	mspaint.exe
3980	mspaint.exe
3980	mspaint.exe
3980	mspaint.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe2.exeCCLEANER.EXEPHOTO.EXE

description	pid	process	target process
PID 4800 wrote to memory of 944	4800	366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe	2.exe
PID 4800 wrote to memory of 944	4800	366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe	2.exe
PID 4800 wrote to memory of 944	4800	366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe	2.exe
PID 944 wrote to memory of 4352	944	2.exe	CCLEANER.EXE
PID 944 wrote to memory of 4352	944	2.exe	CCLEANER.EXE
PID 944 wrote to memory of 4352	944	2.exe	CCLEANER.EXE
PID 4352 wrote to memory of 3936	4352	CCLEANER.EXE	pcaui.exe
PID 4352 wrote to memory of 3936	4352	CCLEANER.EXE	pcaui.exe
PID 944 wrote to memory of 2476	944	2.exe	PHOTO.EXE
PID 944 wrote to memory of 2476	944	2.exe	PHOTO.EXE
PID 944 wrote to memory of 2476	944	2.exe	PHOTO.EXE
PID 2476 wrote to memory of 3980	2476	PHOTO.EXE	mspaint.exe
PID 2476 wrote to memory of 3980	2476	PHOTO.EXE	mspaint.exe
PID 2476 wrote to memory of 3980	2476	PHOTO.EXE	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE
"C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {22bfeed6-cb41-4fe3-9e7b-fab443ef9e19} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE"
4⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\PHOTO.EXE
"C:\Users\Admin\AppData\Local\Temp\PHOTO.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\photo.bmp"
4⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE

Filesize
2.6MB

MD5
fb3454a3a2ca33aed9b12a0dde847eb9

SHA1
7a8e9d92b4fcc72f2cd33d5deda45f0dbb76a647

SHA256
a5bf5244b6e8fafafba04a453265e265c9adcb93d7a9453a6bf93b1d366ed5cd

SHA512
1c4546d87ebd29dff5357d3bbe7bcf870e7b5722262804ea1013a3638eeea8c904ab924fd31d9289203e60821d2af7053021c090f209a824b96f3cb6a7da8405

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHOTO.EXE

Filesize
118KB

MD5
f29cafd37cda63dff66e6d4913f311f6

SHA1
6b01b69dda24f94c8124df36939a424515fb8be1

SHA256
41dbf8b714e715be4516d51f564e5cfa3e966547fed89a7269413b2491ad9361

SHA512
1055f1d6934a2805a8a3a363545f18c2c77b9d1d90605eb5eeadb5685441ab213316323ac217360e5fd845acebf84d6d23a78f296c11516c18ab684fe1b12350

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
1.2MB

MD5
ab88930956d332bea23524a75797b5e5

SHA1
8983d1f6cda43eb11525385f4ad7aa0b6d4592b1

SHA256
757389282387c07460337689f89b842443fc0a2e600fb8db5e0466631c7c9927

SHA512
4b2280530df8bbbfaa6d1ce810f9600873d8cef6aef5c212d7e59f5d0ec338eb3450b6be6feab5472c06bdd6331b9c3547aa69fb890300fca177821a9701f7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\photo.bmp

Filesize
732KB

MD5
14de31e2cfb63ae268ec860f075543d3

SHA1
4e0f17eb4f20a69df38bd73c1bb2bd727c34f05b

SHA256
c509abcf024b5624d76662236b3a93d4ac3a03d782df9a4b5126626674b5bcc6

SHA512
f29b362abb92ddcf690bcd1318d83f83fc06eef383f4687450e4e36fd438d549c4b6d4e290bdb5ca0ec1a02364a15fbf5db39e64251de9f34021bf2feea5d53d

Download Submit
memory/944-9-0x0000000000400000-0x00000000006D4000-memory.dmp

Filesize
2.8MB

Download
memory/944-30-0x0000000000400000-0x00000000006D4000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads