36755ad2e2d73260f3cebd70aa55e6d9579ad1c855c4370eb9c10cd4fe404967

General

Target

5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
Size

24KB
MD5

5a23f1bf273620980f14915e8c2d62f0
SHA1

2482a33d4e60f9ca8143b477a05e3f2dd61c3f36
SHA256

36755ad2e2d73260f3cebd70aa55e6d9579ad1c855c4370eb9c10cd4fe404967
SHA512

405cd2bad6d8b57421277d06e4475cf09e07880e33803ee565ee45cf7ccb23dc32e3a55099d65ffc25fc8f1ec323a70aaeb5e593fdcbb12e9641f789d16c4f23
SSDEEP

768:YzO6Ih2gCllQ/9R1PS6j//uom+TdsGXGq:YzM2BURBSSbjTu7q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3824	svcser.exe
2484	svcser.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcser.exe	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svcser.exe	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svcser.exe	svcser.exe
File created	C:\Windows\SysWOW64\svcser.exe	svcser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	3824	WerFault.exe	84

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
3824	svcser.exe
2484	svcser.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3824	764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe	84
PID 764 wrote to memory of 3824	764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe	84
PID 764 wrote to memory of 3824	764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe	84
PID 3824 wrote to memory of 2484	3824	svcser.exe	85
PID 3824 wrote to memory of 2484	3824	svcser.exe	85
PID 3824 wrote to memory of 2484	3824	svcser.exe	85
PID 764 wrote to memory of 5056	764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe	90
PID 764 wrote to memory of 5056	764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe	90
PID 764 wrote to memory of 5056	764	5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe	90
PID 5056 wrote to memory of 3216	5056	cmd.exe	93
PID 5056 wrote to memory of 3216	5056	cmd.exe	93
PID 5056 wrote to memory of 3216	5056	cmd.exe	93

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\svcser.exe
  C:\Windows\system32\svcser.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\svcser.exe
    C:\Windows\system32\svcser.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 696
    3⤵
    - Program crash
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h 5a23f1bf273620980f14915e8c2d62f0_JaffaCakes118.exe
    3⤵
    - Views/modifies file attributes
    PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3824 -ip 3824
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
242B

MD5
70e3bc44459b183fc772ddf0025e4f37

SHA1
9358b1481a891781e485b7d0db597e6c5628585c

SHA256
188cb99afddda3aab8c994101c06cb7f9351b9a0ae5e2267bb2002327c31797f

SHA512
33b4dcbb19f1c18b15d714615eadc88a2166c74c02e3bb6963af9a6c8eebb14f9a1f5feab8a9a8f3870f123d39572a2f9f7a5e0bad7677fb941945d0926073c7

Download Submit
C:\Windows\SysWOW64\svcser.exe

Filesize
24KB

MD5
5a23f1bf273620980f14915e8c2d62f0

SHA1
2482a33d4e60f9ca8143b477a05e3f2dd61c3f36

SHA256
36755ad2e2d73260f3cebd70aa55e6d9579ad1c855c4370eb9c10cd4fe404967

SHA512
405cd2bad6d8b57421277d06e4475cf09e07880e33803ee565ee45cf7ccb23dc32e3a55099d65ffc25fc8f1ec323a70aaeb5e593fdcbb12e9641f789d16c4f23

Download Submit
memory/764-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/764-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/764-2-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/764-26-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2484-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2484-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2484-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3824-12-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3824-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3824-29-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing