a4c934099489b876056578a9be9f9f5e61697c242303ac8277d3e11c4e9a7c80

General

Target

48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe
Size

717KB
MD5

48efd5e1d1766c95d53902649d1f185a
SHA1

11c95a5d17f71039feeb2fa131fefa5bf8791ad7
SHA256

a4c934099489b876056578a9be9f9f5e61697c242303ac8277d3e11c4e9a7c80
SHA512

86da0260ed81ca9657596dda1c72192ef91bbffd3b5348f83ccce279b3698a65769cf015fdebb3748facc854fc2c93717532577801092f6e332988f2c86f8d1f
SSDEEP

12288:LjWRsFmDaRO6mN+iHJ1O/Y2da9kBW9z9LKqGCALhuD8hWrUwRpGXp3Z:Lj4D36Mp1spk9kBW99uui88hWn+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Setup4300.Exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	HoneyBucket.Exe

Executes dropped EXE 3 IoCs

pid	Process
1688	Setup4300.Exe
1820	HoneyBucket.Exe
3992	CYPUTMRBHYB.Exe

Loads dropped DLL 4 IoCs

pid	Process
3992	CYPUTMRBHYB.Exe
3992	CYPUTMRBHYB.Exe
3992	CYPUTMRBHYB.Exe
3992	CYPUTMRBHYB.Exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\BadgeHelp\HoneyBucket\VTJMNNRBHYB.DLL	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\RNRXJYBNRBC.DLL	CYPUTMRBHYB.Exe
File opened for modification	C:\Program Files\BadgeHelp\HoneyBucket\RNRXJYBNRBC.DLL	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\PrepFont0.Bmp	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\MasterTickerList.Txt	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\LocalTickerList.Txt	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\HoneyBucket.Exe	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\VTJMNNRBHYB.DLL	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\4300.Rep	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\MasterTickerList.Test	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\CYPUTMRBHYB.Exe	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\Reg.Ico	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\LocalTickerList.Test	CYPUTMRBHYB.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\TickerList.Txt	CYPUTMRBHYB.Exe
File opened for modification	C:\Program Files\BadgeHelp\HoneyBucket\CYPUTMRBHYB.Exe	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\WordList.Tree	CYPUTMRBHYB.Exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 1688	3552	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	85
PID 3552 wrote to memory of 1688	3552	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	85
PID 3552 wrote to memory of 1688	3552	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	85
PID 1688 wrote to memory of 1820	1688	Setup4300.Exe	87
PID 1688 wrote to memory of 1820	1688	Setup4300.Exe	87
PID 1688 wrote to memory of 1820	1688	Setup4300.Exe	87
PID 1820 wrote to memory of 3992	1820	HoneyBucket.Exe	88
PID 1820 wrote to memory of 3992	1820	HoneyBucket.Exe	88
PID 1820 wrote to memory of 3992	1820	HoneyBucket.Exe	88

C:\Users\Admin\AppData\Local\Temp\48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Setup4300.Exe
  .\Setup4300.Exe HoneyBucket F
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files\BadgeHelp\HoneyBucket\HoneyBucket.Exe
    "C:\Program Files\BadgeHelp\HoneyBucket\HoneyBucket.Exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Program Files\BadgeHelp\HoneyBucket\CYPUTMRBHYB.Exe
      "C:\Program Files\BadgeHelp\HoneyBucket\CYPUTMRBHYB.Exe" 432172863 1256143886
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\BadgeHelp\HoneyBucket\RNRXJYBNRBC.DLL

Filesize
48KB

MD5
67852c843237775ffa709fbb396766be

SHA1
c6f8254f5ed0b3aede9f0c45272f37fcad4e8062

SHA256
4a996b7135d3d79b38bbf86fbcd62b0f2409a80b048a3005be0351c1ace8c430

SHA512
50fcfd48a63c4ab88f614393dbdb07adb397220fe27f35d3b9468c8dd3f686e95a14f8e0fa44f9ce9dab80661c005a1df70c41d271f683d7cf499635177fa4f0

Download Submit
C:\Program Files\BadgeHelp\HoneyBucket\VTJMNNRBHYB.DLL

Filesize
68KB

MD5
9a68f7ab03ee894fdc18263fae213bbf

SHA1
de07ba56f1be3dcb469897d24919342abe48ef37

SHA256
3ef0fc15d38d961b663785192c5da8ed6a0fb17ee8d5a48bd9e00ce4dc84dc2a

SHA512
d4631ab1a087692221ac35839bc0c0484fb7a32c59ce8bb263781f94775d959f1f88db146edf341dc3593c4900813acb072678a45af5ca6f5878014ab5bfa99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\HoneyBucket.Exe

Filesize
571KB

MD5
37876c6ead468d82ba34647fdbd415bd

SHA1
a02caee215619e8e68f7b908273734bf9d35223c

SHA256
83314ad01d7fe000b4ca2f6137cc0a0c761040ed2763c250d1e103865d61370c

SHA512
2b028b475f42d1aaf2337bd03ec7beea0ccfe2b5490d80e2db32318f58158d344dfe1972fc83d2e5cb76ecb4c0ba6d65364796dcfb9f3d234b1e419a5e84bd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Setup4300.Exe

Filesize
144KB

MD5
ea1a4a4de3f9945ecf7d3c7dc5b77c79

SHA1
1b57553b0a57bb15141e298006fe9ced483d9897

SHA256
47bd022cc024840cd100aeb6b8c36f3bdde3cc5aacc47d3a69b044ce46000388

SHA512
51e71681128b7216d7f83d84c8c7377e30737fa1b444930a7fba97461e0f795976af13887960d8026b2ec83324453c9ade06527fe50ac1a4a3fa28134abff451

Download Submit
memory/1688-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1688-26-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1820-30-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3992-55-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-66-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-49-0x0000000002470000-0x0000000002484000-memory.dmp

Filesize
80KB

Download
memory/3992-31-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-56-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-64-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-65-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-41-0x0000000002470000-0x0000000002487000-memory.dmp

Filesize
92KB

Download
memory/3992-67-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-68-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-69-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-70-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-71-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-73-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-74-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3992-75-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing