42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665

General

Target

4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
Size

68KB
MD5

4cf07f0e00efc17fd43c685f2658c768
SHA1

87403314fa15b5b7c779d2b0131df6fb2958c994
SHA256

42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665
SHA512

bdbb08a6442defcd15442b69e15d505defffd06743c5d7e6da868fb12e4acc35953a7fa7e14fc5aca4e6536e6495f91887e9744d19a2b4026512fc18ef3db395
SSDEEP

768:6y/Asc3Q8Y97tPgADzMgNVcBE7KN0rWGdv/qhjOK0oUW8AOktxd1IdGvnS93k/:UA8utPg0VcBEKN4WKKQK0opdOkLdiW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	iexplore.exe
3332	iexplore.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iexplore.exe	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\iexplore.exe	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 2084	1464	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	85
PID 1944 set thread context of 3332	1944	iexplore.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1432	3332	WerFault.exe	90

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2084	1464	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	85
PID 1464 wrote to memory of 2084	1464	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	85
PID 1464 wrote to memory of 2084	1464	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	85
PID 1464 wrote to memory of 2084	1464	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	85
PID 1464 wrote to memory of 2084	1464	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	85
PID 2084 wrote to memory of 3916	2084	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	87
PID 2084 wrote to memory of 3916	2084	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	87
PID 2084 wrote to memory of 3916	2084	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	87
PID 2084 wrote to memory of 1944	2084	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	88
PID 2084 wrote to memory of 1944	2084	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	88
PID 2084 wrote to memory of 1944	2084	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	88
PID 1944 wrote to memory of 3332	1944	iexplore.exe	90
PID 1944 wrote to memory of 3332	1944	iexplore.exe	90
PID 1944 wrote to memory of 3332	1944	iexplore.exe	90
PID 1944 wrote to memory of 3332	1944	iexplore.exe	90
PID 1944 wrote to memory of 3332	1944	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozbgbmrw.bat" "
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\iexplore.exe
    C:\Windows\system32\iexplore.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\iexplore.exe
      C:\Windows\SysWOW64\iexplore.exe
      4⤵
      Executes dropped EXE
      PID:3332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 572
        5⤵
        Program crash
        
        PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3332 -ip 3332
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ozbgbmrw.bat

Filesize
244B

MD5
ac3ce85c8e58419c33b99b11713f97ad

SHA1
0cd33506e1a8839902039892faf476a24de9dc48

SHA256
7bafe5aac41ad21c1dc867344f4bf8ecae1174076688bbd55d1d9b8f3c4fe3a8

SHA512
464628bc704a25f63b68d8206755cdc6624beca88f944466a26e9d34b00c249ea4bebcc41743fbb427aa5ec11950efe4b8bbd68261cf5330dc461fa7488745ba

Download Submit
C:\Windows\SysWOW64\iexplore.exe

Filesize
68KB

MD5
4cf07f0e00efc17fd43c685f2658c768

SHA1
87403314fa15b5b7c779d2b0131df6fb2958c994

SHA256
42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665

SHA512
bdbb08a6442defcd15442b69e15d505defffd06743c5d7e6da868fb12e4acc35953a7fa7e14fc5aca4e6536e6495f91887e9744d19a2b4026512fc18ef3db395

Download Submit
memory/1464-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1464-3-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1944-17-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1944-21-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2084-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-4-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-5-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3332-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3332-25-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing