d14393e4d8803103b4b0534adeec6cacacfb0a1c726629680478d9d413f8c232

General

Target

46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
Size

2.2MB
MD5

46fe2546a2c1bb35f6860a18569921f9
SHA1

1a569d1e2fb57962ae11e0dd29698e91287e5d80
SHA256

d14393e4d8803103b4b0534adeec6cacacfb0a1c726629680478d9d413f8c232
SHA512

4796a24467166ad81a82ad758a3caeaac9f32a1ddd6ad456fd4d94bee0755803dbe1be8b8c1d09254a8152831b44590186336969144dbe9a40ef940865c89867
SSDEEP

49152:HUGEBRAokI3bXPcWxdTi5YP6K+b0CNYr8yfBbvX5E5beeFX6K:HbORnkI3bfcOdT8Q6KzCNYrDX54jFD

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	scrss.exe

Executes dropped EXE 3 IoCs

pid	Process
1416	setup.exe
4716	foxybot.exe
544	scrss.exe

Loads dropped DLL 4 IoCs

pid	Process
544	scrss.exe
544	scrss.exe
4716	foxybot.exe
4716	foxybot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scrss = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4684	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1416	setup.exe
1416	setup.exe
544	scrss.exe
544	scrss.exe
544	scrss.exe
544	scrss.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4716	foxybot.exe
4716	foxybot.exe
4716	foxybot.exe
544	scrss.exe
4716	foxybot.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1416	3624	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	87
PID 3624 wrote to memory of 1416	3624	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	87
PID 3624 wrote to memory of 1416	3624	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	87
PID 1416 wrote to memory of 4716	1416	setup.exe	88
PID 1416 wrote to memory of 4716	1416	setup.exe	88
PID 1416 wrote to memory of 4716	1416	setup.exe	88
PID 1416 wrote to memory of 544	1416	setup.exe	89
PID 1416 wrote to memory of 544	1416	setup.exe	89
PID 1416 wrote to memory of 544	1416	setup.exe	89
PID 544 wrote to memory of 2460	544	scrss.exe	90
PID 544 wrote to memory of 2460	544	scrss.exe	90
PID 544 wrote to memory of 2460	544	scrss.exe	90
PID 2460 wrote to memory of 780	2460	cmd.exe	92
PID 2460 wrote to memory of 780	2460	cmd.exe	92
PID 2460 wrote to memory of 780	2460	cmd.exe	92
PID 780 wrote to memory of 4684	780	cmd.exe	93
PID 780 wrote to memory of 4684	780	cmd.exe	93
PID 780 wrote to memory of 4684	780	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\foxybot.exe
    "C:\Users\Admin\AppData\Local\foxybot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4716
- - C:\Users\Admin\AppData\Local\scrss.exe
    "C:\Users\Admin\AppData\Local\scrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
141B

MD5
c43bd7836a8cf448f69638e14889ace4

SHA1
b7cdd6cabefdecad0f27f0c56215661e3fe2bb60

SHA256
c5d8cfcd50c0a777ec07376edcb4a80b2e22bb8d115c2d2f5718022fb78e82d9

SHA512
077301b1326b81e6069d66e7ddf6605809b74db34a4b131994089bd49787d172052e70ee980b66915bf665385355a80da6a5981bc5f1971b74145f499e73adf2

Download Submit
C:\Users\Admin\AppData\Local\foxybot.exe

Filesize
752KB

MD5
5e0aafdd4d056ef8889fd8d83357708d

SHA1
5d30e99d2d557bb947bf4b1677ba70745741a491

SHA256
05c24fe54f55d1d54d56908d5e9f55672d1eda52cda1e1fff73ca9e2cb83dfe2

SHA512
58ebd0918521a1e2262e69cd1ccb46c50d908a814e18985bb518f61e88891cbbf074fb449dd4e792efcaa1183b451c4bdf35d3d713593bd14b0ac9803e03a153

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
8380322522bb509450441bfd9eb341be

SHA1
6e72ee00e97d26bd62d956f87d5a8e83fa70104a

SHA256
1bfe346c455fa962ef1113b0ab6915a4b290ddaad7618c94caa8a3f17e2be71e

SHA512
7faa191d0750408db656762f9a98ec56968a88a3c8672b7135576544c67d76370e85634604e3b8d35b2d64ff2a7cfbac75f8f22ee900ba25b957ca1123071c5e

Download Submit
C:\Users\Admin\AppData\Local\scrss.exe

Filesize
444KB

MD5
7d4ccd44a98e70fab7c6407d8e5b096d

SHA1
41213e37f0e53c0240f0b1fc76d7fa4dc25a0ca1

SHA256
00a6a5b368d6ad0fa0dee0e65319e51836e90ec6de1d493c4ee2a5b6160a635c

SHA512
43a2f8066c4e9f926c052cdc08b4c2716fac909d7fa17f076c0ed5e15962ab8b4b099daa183c28ca8676a12d330daf0a46ebe2bc626aa7cfa8a8f570ad9e7aa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe

Filesize
1.6MB

MD5
156c2ea4b91c579724a7cbe9aa7cfc3c

SHA1
a1def009885f358162e25eb2ee6fdc7bf4b1bd84

SHA256
c1c4cc0f02fad9726546d0cb0632e369e5392ee4113642099d90dbcfb5b231eb

SHA512
183c7a62bb1e1ecb78e53e95fe64b3e89edc2248d4d1f84ae877138b4f11e39b07235d338faa8a5906af0ecff5e33e605c0b8d930c69b1f5edf79eedaea38baa

Download Submit
memory/544-46-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download
memory/544-36-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download
memory/544-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/544-49-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/544-57-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/544-63-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1416-28-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/3624-9-0x0000000004000000-0x000000000422F000-memory.dmp

Filesize
2.2MB

Download
memory/3624-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4716-42-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/4716-44-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads