c8e172c2aa134a995cf449c22fc72d552dfe82ee50562a5ae6d63fc716593104

General

Target

60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
Size

692KB
MD5

60476c892ca790e28f8aaf1f56b50518
SHA1

157ba2fcd7f004aa0d6b2c266edab867f374cea8
SHA256

c8e172c2aa134a995cf449c22fc72d552dfe82ee50562a5ae6d63fc716593104
SHA512

db27ddfa7432f437ef9ba2bc80bffa84a20911f3dbf373b9a4867e809e2cf0d7f95b7b8d3765ebabe521771acb52021f942ad62f295b868951bb89d842f7550d
SSDEEP

6144:mw2VnAKP8AcO/t4JRPB/Wsw7epczK7mYYVce4H8bE11VORe/mOAH6gdJmw9Sq+l6:z2j8PdxB/Ws64vmQ11Vf/mOAHXL8ll6

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1252	svchcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcomtr = "C:\\WINDOWS\\system32\\svchcst.exe"	regedit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchcst.exe	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\reg.reg	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
4312	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
1252	svchcst.exe
1252	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1252	1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	87
PID 1880 wrote to memory of 1252	1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	87
PID 1880 wrote to memory of 1252	1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	87
PID 1880 wrote to memory of 3844	1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	90
PID 1880 wrote to memory of 3844	1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	90
PID 1880 wrote to memory of 3844	1880	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	90
PID 1252 wrote to memory of 2264	1252	svchcst.exe	100
PID 1252 wrote to memory of 2264	1252	svchcst.exe	100
PID 1252 wrote to memory of 2264	1252	svchcst.exe	100
PID 2264 wrote to memory of 4312	2264	cmd.exe	102
PID 2264 wrote to memory of 4312	2264	cmd.exe	102
PID 2264 wrote to memory of 4312	2264	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\svchcst.exe
  "C:\Windows\system32\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit -s C:\Windows\reg.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\regedit.exe
      regedit -s C:\Windows\reg.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ .bat" "
  2⤵
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ .bat

Filesize
137B

MD5
91031b1ce91d7ebfeedba7549c7d77de

SHA1
2796c5e42a7a2467f8e02f17fa9812a3470a861b

SHA256
ebe2f95753a116102898b90dab09a7287d7d61e22e2c541e93482201c0f6c396

SHA512
77e04e3f6016a52a8637b7dfe5f21af99f40cab78be38e6bf01b5887827da4e6240d4f3ebac977b1190fcebb428e6e03f3b242cb69764dc9f374d58fbe756420

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
692KB

MD5
60476c892ca790e28f8aaf1f56b50518

SHA1
157ba2fcd7f004aa0d6b2c266edab867f374cea8

SHA256
c8e172c2aa134a995cf449c22fc72d552dfe82ee50562a5ae6d63fc716593104

SHA512
db27ddfa7432f437ef9ba2bc80bffa84a20911f3dbf373b9a4867e809e2cf0d7f95b7b8d3765ebabe521771acb52021f942ad62f295b868951bb89d842f7550d

Download Submit
C:\Windows\reg.reg

Filesize
154B

MD5
d00bcc58dfddbb4cce3fd371c35651a2

SHA1
737b23026c9efa398127bed43aef144ad95eff45

SHA256
a776baa2520c61f8bfa3bf42ffc16acc896cea78af8ae0b896598bb0f075b251

SHA512
a01d95437b4675d79b8dbe7bb35b7dd982f7093ba979eb735ed1802a7d5c19dc2e494ef86f846767be858fec1ee3dba9f79dd962eb21fb5282290edde60d142c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads