6d687a744d66c77e05b69b5fbfb43f37110e1b46f6c3ac39f716f1bd05099b6d

General

Target

4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe
Size

1.1MB
MD5

4aeb9a345379cfaed630f18d80e97905
SHA1

53ade90e963a0e2ee91fd32ecf2a1b7f49ec2229
SHA256

6d687a744d66c77e05b69b5fbfb43f37110e1b46f6c3ac39f716f1bd05099b6d
SHA512

7fe271062d74f490c7e8794e89785b04bcae2cffdb8016078c54347df6b36a4f158e3cf6a10497dc413ed364fa1f20ca31111062f1cba28206a9bab9412a1861
SSDEEP

12288:pOXGpJ0g+IuMwJRiZoanF3ilRnrNIV6flDk3ZdZzZzZGePeibHHdK7TnB6trhHZY:p+uJK4SrJqo6ecEehAM/NIWZtMXse

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	11250.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4756 set thread context of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe
Token: SeRestorePrivilege	2592	dw20.exe
Token: SeBackupPrivilege	2592	dw20.exe
Token: SeBackupPrivilege	2592	dw20.exe
Token: SeBackupPrivilege	2592	dw20.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3684	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	86
PID 4756 wrote to memory of 3684	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	86
PID 4756 wrote to memory of 3684	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	86
PID 3684 wrote to memory of 2024	3684	csc.exe	88
PID 3684 wrote to memory of 2024	3684	csc.exe	88
PID 3684 wrote to memory of 2024	3684	csc.exe	88
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4756 wrote to memory of 4076	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	90
PID 4076 wrote to memory of 2592	4076	vbc.exe	91
PID 4076 wrote to memory of 2592	4076	vbc.exe	91
PID 4076 wrote to memory of 2592	4076	vbc.exe	91
PID 4756 wrote to memory of 4264	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	93
PID 4756 wrote to memory of 4264	4756	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5dq5ahk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8185.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8184.tmp"
    3⤵
    PID:2024
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 788
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- C:\Users\Admin\AppData\Roaming\11250.exe
  "C:\Users\Admin\AppData\Roaming\11250.exe"
  2⤵
  - Executes dropped EXE
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8185.tmp

Filesize
1KB

MD5
770553b8a6e6a8bc14058d44d24ae32f

SHA1
33cfa6c809c6599a256274455cd9118790fd5514

SHA256
3f0d4c9a724f4814562a13ecff05021cb0e0b98666361b5e89027c756fd37c54

SHA512
05af6d3690c4b3ccfecd6ba27438f35a92d5b19fcd9917113d28bc46b0561d8cc735048e64f885f756167d3311813facbe2894829c413e7fe73fd58cbfdf8bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5dq5ahk.dll

Filesize
5KB

MD5
92a9a5ec5de52c06d5f1b090c731824d

SHA1
2667099c50b67da4e4401fc6dd5acdc66c503638

SHA256
d869f7b3b57038ac732e38d25009d54ec66a2060acbc32da451807bf17445bcd

SHA512
fa8f56e94946b4b2896feb3e1e0ad994f8b427f947b84cd3fe03c179e442341e1f1d5d07c1c305e38319eb77ce510c12cb96f51d38a8502ab5c592a02fc1f70d

Download Submit
C:\Users\Admin\AppData\Roaming\11250.exe

Filesize
263KB

MD5
a90158d5134a783ef748e009e7adb0f4

SHA1
bd050413c1cfab8eacac525b0c31af0385a91711

SHA256
8e6c613486cde6a3bcfc6f4d4cd2c8f0add711f8efbeea1dd9f15ac1b1ce7872

SHA512
cd26540aa1570f03fbb2fb790d716522d6b64b70e91507fd78c8bcef86ddec9b657abae9d5b08c999c3b34021f562da9955405fe43d367c6bf2b163927af1920

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8184.tmp

Filesize
652B

MD5
3d86bf3bd156f66a9ad0170d2878b94c

SHA1
0f50665ffa44d9d969927874e59ae898141510e0

SHA256
1b37fcabc0b87b35285afce18d203853c7b6161f414fba5048d3d3ef8cd47958

SHA512
ff781b37ae3003a7a2f2293ec090e3d4c654e75dd941d59460102eeafdc1a91b32a4175d0b6650bcb71b01a98bdd5abf2222f38f9ea5a92a494de36c52b5d9b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5dq5ahk.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5dq5ahk.cmdline

Filesize
206B

MD5
1a0af3de9d721d6bc1b7104c2dd18848

SHA1
30977138dd7bb62c0cec8ebad4022cb3cb418da1

SHA256
ce203d25cb801b5327f36747fdb1e408e4ae93dd242f6efe916863d36f3fff20

SHA512
1ada04670f6b5f19a0858cae2672b9325927debcc7f08b9c8ef46ff70a451ad77d5a089730600741d88722143ae4d2c0dd69c9b1845227d91a1f9b9c9a904d77

Download Submit
memory/3684-15-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/3684-8-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4076-18-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4076-19-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4076-20-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4076-40-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4264-42-0x000000001B240000-0x000000001B2E6000-memory.dmp

Filesize
664KB

Download
memory/4264-43-0x000000001B7C0000-0x000000001BC8E000-memory.dmp

Filesize
4.8MB

Download
memory/4264-44-0x000000001BDB0000-0x000000001BE4C000-memory.dmp

Filesize
624KB

Download
memory/4264-45-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/4264-46-0x000000001BF10000-0x000000001BF5C000-memory.dmp

Filesize
304KB

Download
memory/4756-2-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4756-0-0x00000000746B2000-0x00000000746B3000-memory.dmp

Filesize
4KB

Download
memory/4756-1-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4756-41-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads