17e20d4fe02cea1691fe644e059258b5c94c3a716f49a633e1812425f8a7f6ad

General

Target

4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe
Size

5.2MB
MD5

4816133e9df72e2024c815e2f8dad783
SHA1

07e8409059eaf25168e1de54aaaa76d059146cd5
SHA256

17e20d4fe02cea1691fe644e059258b5c94c3a716f49a633e1812425f8a7f6ad
SHA512

c08907b0ebaeb6274220312f0723a248d426528b4bebe3e0980fe31d72418bb331a2d54e77f09827a84621db8070fd5a93cfe4b476d5c5a9334185140d7cc844
SSDEEP

98304:ZiaRRoHX95ztsv0bQU6PxdRLS9TkabKaVJQIbGWOCSDJIrGpFHuaqiNfgil3nB1O:IBtE0f6PxdRLSVXFJ/yLDiwLTFVnB16L

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	7za.exe
4720	Setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1852-0-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1852-60-0x0000000000400000-0x000000000044E000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000234ca-71.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4720	Setup.exe
4720	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4824	1852	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4824	1852	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4824	1852	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	85
PID 4824 wrote to memory of 1488	4824	WScript.exe	86
PID 4824 wrote to memory of 1488	4824	WScript.exe	86
PID 4824 wrote to memory of 1488	4824	WScript.exe	86
PID 1488 wrote to memory of 4344	1488	cmd.exe	88
PID 1488 wrote to memory of 4344	1488	cmd.exe	88
PID 1488 wrote to memory of 4344	1488	cmd.exe	88
PID 1488 wrote to memory of 4720	1488	cmd.exe	89
PID 1488 wrote to memory of 4720	1488	cmd.exe	89
PID 1488 wrote to memory of 4720	1488	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\Pack.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
465KB

MD5
885e9eb42889ca547f4e3515dcde5d3d

SHA1
d4206fc233e3a708b54439e1c2bc12b48a755ed1

SHA256
b3a70d388488c34dd5c767692eccc9effed36b8e7c1ee03ace1bd27123a2e6d6

SHA512
3e5ddfc47b9f28115385ef4d311d8c929be7daa6d9c22e1c57449488cd434f69695726bd6008d88fd0d570f38105c4b97b311fbd26d5ad79e1539e8d220a385b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
80B

MD5
2ce6eef84b7f306858c23000f017e2a0

SHA1
1767837936825158d0a5faf707d130fcb3fe52b2

SHA256
6d7b5f31415ea7796876bee5350704fe556201800fdcb143ebfcd4bd450e9d4a

SHA512
47d989c8e394b0486841c056ab749a30351556773abe9e6d5f7c56db9d74a2cd9dc60c6d95ec75b6e4dde1887ac46aa044d346c5839d434d5174ba9a0cd50304

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pack.7z

Filesize
4.8MB

MD5
9c7ff573ed42e92129d61b8da152615e

SHA1
24e2656457a012860195c936e3ed770d22b7ab48

SHA256
b619c2a66d09a236c71b332e50c13e41f94703a9dbb4b8d1b0eb4da12264464e

SHA512
1a0338bbf6cec9ca9e24cb5eb72866abfd39c8b8a6aea12edb0fe7f70e0a7fd6bc0e9b2054700da2a99c541bae7e4fb06596dbbb9f24a78db7f0052b05b772f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
798KB

MD5
a34de14846b4b412f99c5ad92c54aea6

SHA1
f5aad68846712dfd582ae9bcebc98cd2885886af

SHA256
52a4cd1650e2c29ab5fc8a72ab68b65d8302671bde2f32099bf581490d9089b1

SHA512
e2858af59016f85f15f21a5ddc699dd2f9b04e720e2538943c38605fe017c8bcc47e990696ac03cdfd0f68901811c351e700a8700cc9a5ecac3e15b00b24e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bandeaux.jpg

Filesize
26KB

MD5
9c1b420f4772b9f7d7b5ff01e174dc29

SHA1
274df92ece2c49591147d70744c4874a436b07f7

SHA256
01c7dfe7007c861325884737577a085bd805bc7a16d881af97c30650634d0d8e

SHA512
82fc8e8ec34d5f68cd0d5a9e55e63a12114924e3a784d54323fee5932da4fa428e54ee51f26c80d8326f4ed3409770d35fcf9e148012c52b421e02f1b1b8b215

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
376B

MD5
8e43dcf6964a7c171a6d78722ea4b790

SHA1
140bfed4b00aa4770089061413e89a6343957603

SHA256
49a49886a4dcf7aa2356a818e8ee52d59b44ea372ae3645b38e68c3b22aaf677

SHA512
d5967b3e26092caa10d32e1ba602eef505980b0e0f9de3e4860e01872ac3bbcf26ce07f9670289f7b72196e3007862872b6a7b4b634f41a27c0628232c9b06b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eula.html

Filesize
17KB

MD5
ed16b03674655fc4d3fa431406ac9901

SHA1
15f995504fa56b3cc2413325cc43c2f3b2d8b843

SHA256
cd9dceabf43d32edbbdf5f4bef952020a2eea737d5beb7bf16b677078d34e2c9

SHA512
f8a000391751c29435370fc69d1f22f7b0f61da2944eacbb3e86956e81e21aa071020b85eb4fc247603add440848e751433ebc419457aa19532627948c91099d

Download Submit
memory/1852-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1852-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing