e4f98a044639b032fca0d61ed35264d2037f8430a8629e97422428ddf3f67168

General

Target

4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe
Size

2.6MB
MD5

4d2f943c5f2cee1c159bfa40abc5770b
SHA1

524660225b2f12cd967079bfe58d2e501a5110e6
SHA256

e4f98a044639b032fca0d61ed35264d2037f8430a8629e97422428ddf3f67168
SHA512

1bfa7ddd7e02d6b2037d8f7904c764f7519c22c2a7aae8b77e927bbbd4a8b748316ef497220e7b5637d86c4cce27ab8051865e92a2b226e7f8c2413c9e2468f8
SSDEEP

49152:/46zGQ20GAciMOXCeGVR9fY6wd2Lp2vE5gmS5qNWCdzAwh1+c4Ijsmnqp+pSWdXR:/46yshS9xA6Dp2vXmKwWCdzx1+c4TmnL

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	rundll.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	rundll.exe
5016	chrome.exe

Loads dropped DLL 6 IoCs

pid	Process
2924	rundll.exe
2924	rundll.exe
2924	rundll.exe
2924	rundll.exe
4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe
4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\rundll.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\.htm\OpenWithProgIds	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\.htm\OpenWithProgids\ChromeHTML	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2864	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2924	rundll.exe
2924	rundll.exe
2924	rundll.exe
2924	rundll.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	rundll.exe
2924	rundll.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 2924	4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe	86
PID 4428 wrote to memory of 2924	4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe	86
PID 4428 wrote to memory of 2924	4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe	86
PID 2924 wrote to memory of 1512	2924	rundll.exe	87
PID 2924 wrote to memory of 1512	2924	rundll.exe	87
PID 2924 wrote to memory of 1512	2924	rundll.exe	87
PID 1512 wrote to memory of 1760	1512	cmd.exe	89
PID 1512 wrote to memory of 1760	1512	cmd.exe	89
PID 1512 wrote to memory of 1760	1512	cmd.exe	89
PID 1760 wrote to memory of 2864	1760	cmd.exe	90
PID 1760 wrote to memory of 2864	1760	cmd.exe	90
PID 1760 wrote to memory of 2864	1760	cmd.exe	90
PID 4428 wrote to memory of 5016	4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe	91
PID 4428 wrote to memory of 5016	4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe	91
PID 4428 wrote to memory of 5016	4428	4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe	91
PID 5016 wrote to memory of 5088	5016	chrome.exe	92
PID 5016 wrote to memory of 5088	5016	chrome.exe	92
PID 5016 wrote to memory of 5088	5016	chrome.exe	92
PID 5088 wrote to memory of 224	5088	cmd.exe	94
PID 5088 wrote to memory of 224	5088	cmd.exe	94
PID 5088 wrote to memory of 224	5088	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d2f943c5f2cee1c159bfa40abc5770b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\rundll.exe
  "C:\Users\Admin\AppData\Local\rundll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\rundll.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\rundll.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2864
- C:\Users\Admin\AppData\Local\chrome.exe
  "C:\Users\Admin\AppData\Local\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg import C:\Users\Admin\AppData\Local\Temp\AcGB9DA.tmp
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\reg.exe
      reg import C:\Users\Admin\AppData\Local\Temp\AcGB9DA.tmp
      4⤵
      Modifies registry class
      PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AcGB9DA.tmp

Filesize
4KB

MD5
9b1b4f123edff35b02c82f96969ab159

SHA1
7fb84a82b8522c9bda3908d165aad07d8ef11bb9

SHA256
66d45257ff65fe634cc223c4e7ce303f7a1369a3f6eb44cff7ea127aae3adb60

SHA512
9bbb767210354a3be0d1054faf6d82ed316a9f085a6489948776c08f5d1130aea3f8b810f9539f3663070b411808493a13358b63b865577ac8446e8a7fd93a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
148B

MD5
5a0bdaf694ccd27a22cda27a4bbc6adf

SHA1
c3ebec6cf3e56e5bcb69684b55c3d6da10c5ef5f

SHA256
12abc839cb047de62e0d5490b54f987a074e36f7f7b6775a6b331911d1545c2b

SHA512
82e243d1e5e1df530dba387b71c42a1c561775860b0a2989a095b801bf047f2c0e6d464ba6fe8210d81ac3969f74474e5ef2896b8e6a026738b3df45b7cc524f

Download Submit
C:\Users\Admin\AppData\Local\chrome.exe

Filesize
968KB

MD5
302f6b210682996275c687e6f0dd7c12

SHA1
ac6f3536a06d633ab4ad602ef0fcf0dd50b3482f

SHA256
8420157685bdcf0fc0d810edbd2ad70a2f11669fbfa7f9d07022b1f9f5a25473

SHA512
ccfb3c6b6fbb3a59fe54582cccb7b50f56853a3f546aecd6497e0d0f2837c9fcb8844a54c5a8e1957ad9208e8b87c2121c47b8835bcd9010c907aa3afdd3005f

Download Submit
C:\Users\Admin\AppData\Local\ntdata.dll

Filesize
268KB

MD5
ed174f4a9bd2409068db32757b3bc384

SHA1
397d786a611a5f02932839df7a6a630a656516eb

SHA256
3aedc83eb1a417e83f99cc5aa956f0cf3de3fdd5083b0e9c3f7ced24cf074eaf

SHA512
d19c6c7ddd59b85d3337362521fe622c94df1d7c9f53e6be38a61969feb3d9c9b3bac0b318c729a6a5e91419f0e1a85954ba4f58c0baac6ac5f6dbb47950a305

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
370KB

MD5
71005fdae1983b9b28bb4e2a73461876

SHA1
20de7b55055b3cd49b89b8d6ef7ac78f2da0af2d

SHA256
7f110b2988ba31d9dd1d9813c83cbe719f89bee0727da8a41c4f6a855e1cae8c

SHA512
a348457729cf0edc16358474cb7b863fbe051105f5920467f58db0ec72d0737a605a611d2c8342e99abca03336c981c01307e025f95af20512e1d8195e7b3979

Download Submit
C:\Users\Admin\AppData\Local\rundll.exe

Filesize
682KB

MD5
c89a2e085f9edb67985ebf9942c55535

SHA1
f3d14a21a1e03455a798a1b98cfdee1f8493e9ce

SHA256
f2a6d5d0d5209be7de82083974be7bc7eaf6b6a1194b0a511e7be03bf043989b

SHA512
46955a8bb384cc727ec042ef126356b7084192f805585131a02767c42e83dc8b1e13d8a5b8a4e8db98210dc72130521316a96b0930d796313bb27c1e21741f11

Download Submit
memory/2924-39-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2924-23-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2924-16-0x0000000000A60000-0x0000000000AA9000-memory.dmp

Filesize
292KB

Download
memory/2924-40-0x0000000000A60000-0x0000000000AA9000-memory.dmp

Filesize
292KB

Download
memory/2924-41-0x0000000000AB0000-0x0000000000B12000-memory.dmp

Filesize
392KB

Download
memory/2924-18-0x0000000000AB0000-0x0000000000B12000-memory.dmp

Filesize
392KB

Download
memory/4428-27-0x0000000003540000-0x0000000003589000-memory.dmp

Filesize
292KB

Download
memory/4428-0-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4428-42-0x0000000004000000-0x00000000042A9000-memory.dmp

Filesize
2.7MB

Download
memory/4428-43-0x0000000003540000-0x0000000003589000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads