f2167716d8292af49a4b3fd8510501462d58337ccebec3c78c9087a9ef3612bf

General

Target

3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe
Size

1.7MB
MD5

3e43904e7a2463d918cab263f9d7c129
SHA1

bce43ab5e5535403475b327c141734eb97233252
SHA256

f2167716d8292af49a4b3fd8510501462d58337ccebec3c78c9087a9ef3612bf
SHA512

e981325aeacd889e45e80c25dfc82b1cadcd1b4a741d5ae407234ec80b6fa16d971540fe883605c1ca57109d0e81978072bd543219ae9ce73ec8c43a78709bf6
SSDEEP

49152:kRaqrZon4TYFyhPhMP1rYRU52DJbWoEop+:kRaq8UPhVXDJbWoLE

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2272	install.exe
1344	isass.exe
3216	multihack metin2 it.exe

Loads dropped DLL 2 IoCs

pid	Process
1344	isass.exe
1344	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2088	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe
2272	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1344	isass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	isass.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 2272	3548	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	87
PID 3548 wrote to memory of 2272	3548	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	87
PID 3548 wrote to memory of 2272	3548	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	87
PID 2272 wrote to memory of 1344	2272	install.exe	88
PID 2272 wrote to memory of 1344	2272	install.exe	88
PID 2272 wrote to memory of 1344	2272	install.exe	88
PID 2272 wrote to memory of 3216	2272	install.exe	89
PID 2272 wrote to memory of 3216	2272	install.exe	89
PID 1344 wrote to memory of 1028	1344	isass.exe	90
PID 1344 wrote to memory of 1028	1344	isass.exe	90
PID 1344 wrote to memory of 1028	1344	isass.exe	90
PID 1028 wrote to memory of 3224	1028	cmd.exe	92
PID 1028 wrote to memory of 3224	1028	cmd.exe	92
PID 1028 wrote to memory of 3224	1028	cmd.exe	92
PID 3224 wrote to memory of 2088	3224	cmd.exe	93
PID 3224 wrote to memory of 2088	3224	cmd.exe	93
PID 3224 wrote to memory of 2088	3224	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2088
- - C:\Users\Admin\AppData\Local\multihack metin2 it.exe
    "C:\Users\Admin\AppData\Local\multihack metin2 it.exe"
    3⤵
    - Executes dropped EXE
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
1.3MB

MD5
5b4b7c12339a5acb9a38466decd6e8f2

SHA1
f084d14dc3b277da1ed4a5a298de3c7b2f49c7ba

SHA256
b02070d6171d12b371e6e51c5e9966b9322f39e39fad88d59ea8c200656a092a

SHA512
45c1e326e46d542dc672e46cbd86e549ea1caaf1e2e4894931ba0650ba7d8e7041d2b7a8cc1b19d8d92c1de88fcfdbf05799f7189442f53033cdb8229bb9b742

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
480KB

MD5
c5630a4509929bfc6c85a280285ca934

SHA1
52bde69afb354fd3b3a1b49f453e521de1ce0fb2

SHA256
54e531eeb80f977fc9ee005c26b0b0e5157d4e06f4ac9bef4cfd985175ad331f

SHA512
5203de240bb36bb0da77e08dc2664cdaf4bf8997f2ccc2af92363a2e41f04c420435cfd6ff785c6cad581e791838b2564a7851681a0fce7bac47ed3b876b8ef0

Download Submit
C:\Users\Admin\AppData\Local\multihack metin2 it.exe

Filesize
476KB

MD5
c3f6a9b111db795f9b4d94c6ec15b6cf

SHA1
16c86a65afa86b09ee8332af2535a8a914c20c15

SHA256
6dcc669136d098f5b43b94b9cb76fb1af192ef34864f523fdfdb0c36f0f50d48

SHA512
2bee02d939acde50fc86f2240fd0a3f78963ca7f2371ba7dd630770e244a8042ece31b35106ba633302b7ec02a466efeeb5e34da845c22d0ef61344ce1e7732e

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
216KB

MD5
80c93fe64268e17e644e55d4f46fdefe

SHA1
f275bd8a5426398afbf855df8fe9504ed5d8adb3

SHA256
d4fecb746734cd651a9dd064c25754dc87aa7e65c796d5eb9d355893449bda6c

SHA512
8789a9c917879ddb7fc41e0c2bd64398bb93836d7229e38d118702d92f14b29547594b719bd27b5cca030756949129d312dff7a5e40447c9e48ae256fe610a39

Download Submit
memory/1344-33-0x00000000009B0000-0x00000000009EC000-memory.dmp

Filesize
240KB

Download
memory/1344-36-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1344-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1344-44-0x00000000009B0000-0x00000000009EC000-memory.dmp

Filesize
240KB

Download
memory/1344-68-0x00000000009B0000-0x00000000009EC000-memory.dmp

Filesize
240KB

Download
memory/2272-37-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3216-38-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/3216-40-0x000000001C350000-0x000000001C81E000-memory.dmp

Filesize
4.8MB

Download
memory/3216-41-0x000000001C960000-0x000000001C9FC000-memory.dmp

Filesize
624KB

Download
memory/3548-0-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3548-9-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads