421e4717119a24f1749e9b2dfff0edb2988b1153d1a5017d6cf4111ed8fba031

General

Target

3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe
Size

607KB
MD5

3645e121513506f8d973c2586eda42a9
SHA1

bb2341b8a1bd0dcbc92f87c15e9f9a328d43d9de
SHA256

421e4717119a24f1749e9b2dfff0edb2988b1153d1a5017d6cf4111ed8fba031
SHA512

47bed758c70fe06e42dc631ad2ff2e914d9ac80268098d4b17eecfbfd3cc6d762fe9debde4b69663092e860e7af1ceb7f6ff6afb68eac9f01a044702c86188a9
SSDEEP

12288:HP/+yvsejIKVqRcaBdmuKYnxNF3Z4mxxrDqVTVOCKv:HceIOqyayuhxNQmXiVTzKv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
916	Server_Setup.exe
2716	Hacker.com.cn.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\Server_Setup.jpg	3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe
File created	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	Server_Setup.exe
Token: SeDebugPrivilege	2716	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 916	1776	3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe	86
PID 1776 wrote to memory of 916	1776	3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe	86
PID 1776 wrote to memory of 916	1776	3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe	86
PID 2716 wrote to memory of 1516	2716	Hacker.com.cn.exe	88
PID 2716 wrote to memory of 1516	2716	Hacker.com.cn.exe	88

C:\Users\Admin\AppData\Local\Temp\3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3645e121513506f8d973c2586eda42a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776
- C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe
  "C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:916

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\Server_Setup.exe

Filesize
283KB

MD5
b56fcb422ef977bc0a7c574ee9f23e3d

SHA1
5b39278c9543f6d515e703d852220c8d19e9faa8

SHA256
31375ed14235fdcb7f2899b2996731cca1ff5608fe21b5191dc5c0102ffa042f

SHA512
f4193c37d991cd25dc51b7dc4b61e47d50ad6d8d7d1fb0ccb61e5e32a7785b8c32959a2d5580ef342e3b54b9aa9fd5853f10e2c1c1fa477644cda3030b6eaf29

Download Submit
memory/916-47-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/916-41-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/916-37-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1776-13-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1776-10-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1776-24-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1776-23-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1776-22-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1776-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1776-21-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1776-20-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1776-19-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1776-18-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1776-17-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1776-16-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1776-15-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1776-14-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1776-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1776-12-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1776-11-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1776-25-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1776-9-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1776-8-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1776-7-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1776-6-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1776-5-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1776-4-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1776-28-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1776-29-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1776-39-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1776-40-0x0000000002270000-0x00000000022C4000-memory.dmp

Filesize
336KB

Download
memory/1776-2-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1776-1-0x0000000002270000-0x00000000022C4000-memory.dmp

Filesize
336KB

Download
memory/2716-46-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2716-48-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2716-49-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2716-53-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing