2fb743b0669218b620d04d4d3728a4f596a360a7fb4b47feb7f689352fe300f7

General

Target

4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe
Size

325KB
MD5

4c54b7ed22140945dd8ab566b6c6a413
SHA1

7fe3943a5b1278f7a6389555491a5775c9f6a776
SHA256

2fb743b0669218b620d04d4d3728a4f596a360a7fb4b47feb7f689352fe300f7
SHA512

c7ca5bb7eea33cbce8ada9ed3ec10968eb9d85f9fe4248e14c4a3a30a96216d970da2dc8237db1381a05ecce9fc18ee86f048f6fdfcc906785a9ddb4c1cdfbc5
SSDEEP

6144:klTBF2Moph9KUHoWjpAQZ6DKtAXocStK940MkUxqG2Y6bBJCVobrEw:4JWoSlAYcStWLMktY6lY+Ew

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	Keygen.exe
1040	7za.exe
2016	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2876	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	86
PID 3180 wrote to memory of 2876	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	86
PID 3180 wrote to memory of 1040	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	87
PID 3180 wrote to memory of 1040	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	87
PID 3180 wrote to memory of 1040	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	87
PID 3180 wrote to memory of 2016	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	89
PID 3180 wrote to memory of 2016	3180	4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c54b7ed22140945dd8ab566b6c6a413_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
148KB

MD5
c35acab7225fc1eeceaa6f2c70567614

SHA1
6c47f3f66146a433fdbd01126ef5a2f686dede08

SHA256
c4c68bb934d8ab6073fb02141b46dbc83102be2283dede4088f3bd9b9b2b7a68

SHA512
5df3b6ddefbffe71855b6305723ff6eed517015d0567d5961519008d0b35ad5e2719c5e2c642de2e27e6f7331a9b83d4eea67af28ec5938d766ae74671850107

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
87cd0fdb8fe67ff82560def24aafd9d3

SHA1
508468bcd7bf4f625acf3a05b4c2c88c978ad6ba

SHA256
c6d67478a46341366975c8afcace1affa2a32f03200061360e9b17b1f52b36b0

SHA512
80a602e1614514e4fee7d38fc8d0969ef224eb679d2ca628ec8c95d737c1c5fb6a2110c8e505dee1914cfbacf20ed80b0110db0403f4362114ecc05349223e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8D0F.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/2016-38-0x000000001BD10000-0x000000001BDB6000-memory.dmp

Filesize
664KB

Download
memory/2016-47-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2016-41-0x000000001CAA0000-0x000000001CB00000-memory.dmp

Filesize
384KB

Download
memory/2016-40-0x000000001C9F0000-0x000000001CA3C000-memory.dmp

Filesize
304KB

Download
memory/2016-39-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2016-37-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2016-36-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2876-23-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2876-35-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/2876-26-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2876-25-0x000000001BF40000-0x000000001BFDC000-memory.dmp

Filesize
624KB

Download
memory/2876-24-0x000000001B9D0000-0x000000001BE9E000-memory.dmp

Filesize
4.8MB

Download
memory/2876-45-0x00007FFCB75B0000-0x00007FFCB7F51000-memory.dmp

Filesize
9.6MB

Download
memory/2876-46-0x00007FFCB7865000-0x00007FFCB7866000-memory.dmp

Filesize
4KB

Download
memory/2876-20-0x00007FFCB7865000-0x00007FFCB7866000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing