cfb918dff19f116dc17cd08ca2e9aca1d10eb2b8c5239146045154d614d9c240

General

Target

5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
Size

654KB
MD5

5d7bbd8f8d2858b947ebbbf5e8366c02
SHA1

0ebfba42374fea084b32522060a46c14d39e0c4c
SHA256

cfb918dff19f116dc17cd08ca2e9aca1d10eb2b8c5239146045154d614d9c240
SHA512

44cad738aca3660f598b7661b859c96db9e64e60682b86cb64a2f118f97aaa444548fa63ec5201b75220e9b160ddf53ec369859e5d7f241ea85248fb5eb59d1b
SSDEEP

12288:wrmZGB/ZxZ2jcrRKpzqQDaDQx76kvsz3J1R7JiYitaLoSp:wr3VZxZ2C8zqQ+QV6s6Z1N8O

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3144	svcttkt.exe

Loads dropped DLL 1 IoCs

pid	Process
1360	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2816-0-0x0000000000400000-0x0000000001954000-memory.dmp	upx
behavioral2/memory/2816-51-0x0000000000400000-0x0000000001954000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\msadotb.htm	svcttkt.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\win.dat	cmd.exe
File created	C:\Windows\ime\winxp.dat	cmd.exe
File opened for modification	C:\Windows\ime\winxp.dat	cmd.exe
File created	C:\Windows\Debug\error.gg	cmd.exe
File created	C:\Windows\ime\scripts.ini	cmd.exe
File opened for modification	C:\Windows\ime\scripts.ini	cmd.exe
File created	C:\Windows\ime\svcttkt.exe	cmd.exe
File opened for modification	C:\Windows\ime\svcttkt.exe	cmd.exe
File opened for modification	C:\Windows\ime\de-DE\svcttkt.ini	svcttkt.exe
File opened for modification	C:\Windows\Debug\tb.dat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2272	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	rundll32.exe
1360	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	tasklist.exe
Token: 33	3144	svcttkt.exe
Token: SeIncBasePriorityPrivilege	3144	svcttkt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3144	svcttkt.exe
3144	svcttkt.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4156	2816	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	87
PID 2816 wrote to memory of 4156	2816	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	87
PID 2816 wrote to memory of 4156	2816	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	87
PID 4156 wrote to memory of 220	4156	cmd.exe	90
PID 4156 wrote to memory of 220	4156	cmd.exe	90
PID 4156 wrote to memory of 220	4156	cmd.exe	90
PID 4156 wrote to memory of 1588	4156	cmd.exe	91
PID 4156 wrote to memory of 1588	4156	cmd.exe	91
PID 4156 wrote to memory of 1588	4156	cmd.exe	91
PID 4156 wrote to memory of 2272	4156	cmd.exe	92
PID 4156 wrote to memory of 2272	4156	cmd.exe	92
PID 4156 wrote to memory of 2272	4156	cmd.exe	92
PID 4156 wrote to memory of 4812	4156	cmd.exe	93
PID 4156 wrote to memory of 4812	4156	cmd.exe	93
PID 4156 wrote to memory of 4812	4156	cmd.exe	93
PID 4156 wrote to memory of 1360	4156	cmd.exe	95
PID 4156 wrote to memory of 1360	4156	cmd.exe	95
PID 4156 wrote to memory of 1360	4156	cmd.exe	95
PID 4156 wrote to memory of 3144	4156	cmd.exe	96
PID 4156 wrote to memory of 3144	4156	cmd.exe	96
PID 4156 wrote to memory of 3144	4156	cmd.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E24.tmp\sso.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "ravmond.exe"
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1360
- - C:\Windows\ime\svcttkt.exe
    C:\Windows\ime\svcttkt.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\Ole DB\msadotb.htm

Filesize
443B

MD5
394f21b8b73546aa3346878f6e894d09

SHA1
537d99a43b51f7c198c1764ed7a9968658fb13b5

SHA256
2b4c65c614ac358f866bd91ae65a32e2b058cc9e4c91baebaf2adc1016e9d2d3

SHA512
ae988f7e1f4aef4351fd97fc7c6e8d392b3c9a208486358626b9f17390169a8b508e490d5e948085fa60f0036f68b14b2cde63566d8901229228f2e68447dff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E24.tmp\sso.bat

Filesize
1KB

MD5
87ec8415dca590be1f38a046c1712670

SHA1
1f7e1d8402a896172e166bd140bc2244df3e8dc1

SHA256
7da9f7ec467b93e536f419b762557f04c50f8b830adcc55d407c4832744f376e

SHA512
104cb0980f2f3b7a8b36822326b9fb2e14d4e5e4adfeff12566592c114eae9955ab8f5a498e83f9e212365cf77e6cc0c1d299f8a83dcf5cf63f7e14439a2ca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E24.tmp\tb.dat

Filesize
11.1MB

MD5
877418338a6ec6eef514cf61e9a46de0

SHA1
27263bbd9841b27a363c1084c21686cbd89cc537

SHA256
60c60f19dd38ae9cdb3857c63986504212e154f1d580156d90317027b0c3910a

SHA512
7b633efacc552288b6340428a8dee40f7e7a551d1e3beb40bb6ba9afc70a6e2a7be5bfe9c80262f946b6bbae74d05278a6fd81bea3b580aa9b18aa872dd2d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E24.tmp\win.bat

Filesize
1KB

MD5
c48370acb2152b96f50eed42c5e0339b

SHA1
649f98316924a75adc4167df424946d34cd0db19

SHA256
b26417db14dc4acf04e19cbb0fddb22a2b5c427c7a5e586878cd1d1a746678dc

SHA512
2f9c966aca621018d039f030f0d5e147d43ed72c0fffa1586d2400f2baf0019201dd2fc5eead557694387f8ae42b9a3820c188120a4db2161d9485e8d7290219

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E24.tmp\woti.dat

Filesize
10.2MB

MD5
949947d4f9a3e85fa6e1ff6ba9878912

SHA1
ab6cf0c926ab297cd4b7ecd5e93cd74d7cd1baa4

SHA256
1a88d5afbe5a769551a40adc45586b655e020cbda6d39018aae2f7e847f03811

SHA512
8131c00420ac76549b315847126dd4dd60be4c75ff0870fd2b421a7c6b46240947d627cc9594a15ca124c6e4eb55dd0791e99494c2cbde4841d21d72c7e26661

Download Submit
C:\Windows\IME\de-DE\svcttkt.ini

Filesize
119B

MD5
2cd5adf7925cba6db30dededdd3e2dc4

SHA1
c1493f69d49bd873573bffef727fd420a05c5e27

SHA256
24949fe14f0579dd361a830325cc7fb57ceff8c01bc2c596d9f50fb1da16580f

SHA512
2513bc56188e3f900ddc46ff08ba13cdcf03e387e0198f92db3b3f0d0c411d07f5894d57996142631b79333e507578a3a2f7a9d677c80f0393a75845b469743e

Download Submit
C:\Windows\IME\scripts.ini

Filesize
44B

MD5
f1ccc9de1b67d00d55abfea224e65b88

SHA1
403e72f73cf9fec96c9410c6e2a4a0d81e1088e4

SHA256
4895be9dd90dbca6ce8ebe08bb8f4445926e8dc8cf6629fb722e63f6b047216b

SHA512
d871c841a0342342ec5969e1389a964516a31531abc38574f5c46e254886bd4867aa71758ad325b7738b47faf34dfd8f684e06770eb8948e69a04d144d18dc41

Download Submit
memory/1360-47-0x0000000073F30000-0x0000000074049000-memory.dmp

Filesize
1.1MB

Download
memory/1360-67-0x0000000073F30000-0x0000000074049000-memory.dmp

Filesize
1.1MB

Download
memory/2816-0-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/2816-51-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/3144-65-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing