c3466a9ff9243efe9a6de5152f92c745e0f355f81769037bda306918a82cdd34

General

Target

4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe
Size

1.7MB
MD5

4d6956af35f20e9e450e3764f93f7002
SHA1

bb29842aa46edf5699f8d13aaa32daa4e8571c33
SHA256

c3466a9ff9243efe9a6de5152f92c745e0f355f81769037bda306918a82cdd34
SHA512

4ec87803ca6db1bdadcdffb925ff12b70b039c6a16ac29b6106df0a956d625da28c325393f9371e9114a9eb60b9930df25eebec4dca102895ebe2a7a6a89a1ca
SSDEEP

24576:RBgyjZumcNJjM1dHrMgGfQZmiZLjej/qJOo9yevNTnEgXjGpwH2bmot9:RduLj68Iej/qko9B5RibpT

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	ctfmon.exe

Executes dropped EXE 2 IoCs

pid	Process
2020	ctfmon.exe
4364	Eirador Multi v1861.exe

Loads dropped DLL 14 IoCs

pid	Process
2020	ctfmon.exe
2020	ctfmon.exe
2020	ctfmon.exe
2020	ctfmon.exe
392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe
392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe
4364	Eirador Multi v1861.exe
4364	Eirador Multi v1861.exe
4364	Eirador Multi v1861.exe
4364	Eirador Multi v1861.exe
2668	WerFault.exe
2668	WerFault.exe
2020	ctfmon.exe
2020	ctfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\ctfmon.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	2020	WerFault.exe	86

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2764	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2020	ctfmon.exe
2020	ctfmon.exe
2020	ctfmon.exe
2020	ctfmon.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2020	ctfmon.exe
2020	ctfmon.exe
4364	Eirador Multi v1861.exe
4364	Eirador Multi v1861.exe
2020	ctfmon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2020	392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe	86
PID 392 wrote to memory of 2020	392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe	86
PID 392 wrote to memory of 2020	392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe	86
PID 392 wrote to memory of 4364	392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe	87
PID 392 wrote to memory of 4364	392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe	87
PID 392 wrote to memory of 4364	392	4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe	87
PID 2020 wrote to memory of 2884	2020	ctfmon.exe	88
PID 2020 wrote to memory of 2884	2020	ctfmon.exe	88
PID 2020 wrote to memory of 2884	2020	ctfmon.exe	88
PID 2884 wrote to memory of 4444	2884	cmd.exe	90
PID 2884 wrote to memory of 4444	2884	cmd.exe	90
PID 2884 wrote to memory of 4444	2884	cmd.exe	90
PID 4444 wrote to memory of 2764	4444	cmd.exe	91
PID 4444 wrote to memory of 2764	4444	cmd.exe	91
PID 4444 wrote to memory of 2764	4444	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d6956af35f20e9e450e3764f93f7002_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\ctfmon.exe
  "C:\Users\Admin\AppData\Local\ctfmon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\ctfmon.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\ctfmon.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 760
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2668
- C:\Users\Admin\AppData\Local\Eirador Multi v1861.exe
  "C:\Users\Admin\AppData\Local\Eirador Multi v1861.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2020 -ip 2020
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Eirador Multi v1861.exe

Filesize
400KB

MD5
2cccaa37025aaa3967f2cc6db25d0c68

SHA1
791d7f8ef09ffe60ce4423aee3fdc382b188fc23

SHA256
3d9ae884f80a509b3120872e1126ce273902a1cfe3e28fd862484a8e755257ea

SHA512
49f08d950652ece90ba5cc4d45222cdc138debefbaabc10c7ec93b9a45d9c6f92b32c68a441a9405fd8397e09fadd56846504e295e25ff0e69e6fde156f8bb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
148B

MD5
f75271341aacb5971293c8483a89bc83

SHA1
c90ef90dd26977763e5f35a3f7c89268dbe83fbd

SHA256
e1f428dada2c4611ff6acc2b61672e92b2ca42b67015bfbabde458224c61b1b1

SHA512
db401e289e9b3d1f5258e3a2c60e0113c2195c8acd5712c2e97f058f916e2008e9b846119b4cbbd26337e2f62b9b0f21cd046f07c6c166d3bcf43f689a3397a7

Download Submit
C:\Users\Admin\AppData\Local\ctfmon.exe

Filesize
560KB

MD5
a8072393ca67951159b23630acd2971b

SHA1
4c986472e2320f0a522e655820a31a76db418efc

SHA256
734d16d34150addd7b9e5c34072be244ddc743ecdcb5e5745d91c3ee7298b88a

SHA512
c0b6d87225637cabecfa39a3ce8e12b77e8b8865b53a5981401ca452012d966ffa5e0b400a48acd63649c543755111034c9d8ea4366cebc37b1a65afef5dda89

Download Submit
C:\Users\Admin\AppData\Local\ntdata.dll

Filesize
268KB

MD5
ed174f4a9bd2409068db32757b3bc384

SHA1
397d786a611a5f02932839df7a6a630a656516eb

SHA256
3aedc83eb1a417e83f99cc5aa956f0cf3de3fdd5083b0e9c3f7ced24cf074eaf

SHA512
d19c6c7ddd59b85d3337362521fe622c94df1d7c9f53e6be38a61969feb3d9c9b3bac0b318c729a6a5e91419f0e1a85954ba4f58c0baac6ac5f6dbb47950a305

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
72KB

MD5
395c78df12233992b0a2a4de48e8d7ed

SHA1
735cebcca0b8945d2f562605b93921fb3a7c960b

SHA256
49c842ab6754bdef2cf3443c7b63bcc854deda5474424754af741b42de3ae825

SHA512
d66a755ed45670e34296727d67fae83fbff0c7fe286feab73e2df37717185627449c4a63deffeeb013ac61935f344245b7f75f90153cef70ddc0109721bb86c8

Download Submit
memory/392-0-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/392-36-0x0000000003440000-0x0000000003489000-memory.dmp

Filesize
292KB

Download
memory/392-35-0x0000000004000000-0x00000000041BD000-memory.dmp

Filesize
1.7MB

Download
memory/392-32-0x0000000003440000-0x0000000003489000-memory.dmp

Filesize
292KB

Download
memory/2020-17-0x0000000000610000-0x0000000000659000-memory.dmp

Filesize
292KB

Download
memory/2020-28-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2020-26-0x0000000002510000-0x0000000002527000-memory.dmp

Filesize
92KB

Download
memory/2020-58-0x0000000004920000-0x0000000004937000-memory.dmp

Filesize
92KB

Download
memory/2020-61-0x0000000004920000-0x0000000004937000-memory.dmp

Filesize
92KB

Download
memory/2020-60-0x0000000000610000-0x0000000000659000-memory.dmp

Filesize
292KB

Download
memory/2020-59-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2020-50-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2020-51-0x0000000000610000-0x0000000000659000-memory.dmp

Filesize
292KB

Download
memory/2020-52-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4364-41-0x00000000020A0000-0x00000000020E9000-memory.dmp

Filesize
292KB

Download
memory/4364-48-0x00000000020A0000-0x00000000020E9000-memory.dmp

Filesize
292KB

Download
memory/4364-49-0x0000000002AB0000-0x0000000002AC7000-memory.dmp

Filesize
92KB

Download
memory/4364-47-0x0000000002AB0000-0x0000000002AC7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads