4e61d8ff4c2d9e65504b5b1e4ccde6e8923a48440197e22bcbcef0a5bbe4a57e

General

Target

5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe
Size

164KB
MD5

5f8f6a362f1f5c6d2f7ddbacc8943748
SHA1

f27cde7db4d5c2f37575f572caf623abb0df565f
SHA256

4e61d8ff4c2d9e65504b5b1e4ccde6e8923a48440197e22bcbcef0a5bbe4a57e
SHA512

da11b942d58679a6c87baa8207f6f79d40424b432da3a2d70beaca1acb6279af80475aed830cd811e7c67b281b5a36ed827b2fc72de5b78743b0fa63cb172efc
SSDEEP

3072:mnj9/tfUyINndIc0JxKxvuu0Af6mnroOFF6lku2MKoGnmWcDWcb5H1/b:mj3eicxwASmn0qg5b5V/b

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	SAS_Pro_TR.exe

Executes dropped EXE 3 IoCs

pid	Process
780	SAS_Pro_TR.exe
2192	regedit.exe
1904	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002344c-5.dat	upx
behavioral2/memory/780-6-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/780-20-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2192	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 780	1576	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe	84
PID 1576 wrote to memory of 780	1576	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe	84
PID 1576 wrote to memory of 780	1576	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe	84
PID 780 wrote to memory of 1456	780	SAS_Pro_TR.exe	87
PID 780 wrote to memory of 1456	780	SAS_Pro_TR.exe	87
PID 780 wrote to memory of 1456	780	SAS_Pro_TR.exe	87
PID 1456 wrote to memory of 2192	1456	cmd.exe	89
PID 1456 wrote to memory of 2192	1456	cmd.exe	89
PID 1456 wrote to memory of 2192	1456	cmd.exe	89
PID 1576 wrote to memory of 1904	1576	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe	91
PID 1576 wrote to memory of 1904	1576	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe	91
PID 1576 wrote to memory of 1904	1576	5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f8f6a362f1f5c6d2f7ddbacc8943748_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAS_Pro_TR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAS_Pro_TR.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SASP_TR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regedit.exe
      REGEDIT /S regdata.reg
      4⤵
      Executes dropped EXE
      Runs .reg file with regedit
      PID:2192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SASP_TR.bat

Filesize
126B

MD5
297a79f9d1d5079d3530b380ee3587e8

SHA1
b11ceed7cda90f97c5ecd69b179d9ddbfc4c28c5

SHA256
67df6690a3f2fc9e17c9db82b150e1e298d394ecf4580aec3e0792f8e13073ee

SHA512
7e390c9c84c76b164da89a018a432689b9321ea2d410e8544e5b1d08c54f9e4423d41b299868440c4c056c28fb20622949257bad946242bf80346d25c0ad225c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SAS_Pro_TR.exe

Filesize
103KB

MD5
6643a525954c8eff04f6fbeb4b18bd6d

SHA1
c1e77a1b193ed1de0c349b423bb48dc49c49d745

SHA256
4e793c9f1f86c889b06bdac7c82bbe631baf9ca138abaa7f48d078cde85a0ee0

SHA512
9e64c766887c1a0ee57e196d8c5bb857f3bd8534a6b60234d288604b5b7b675ac6e44f283e1a1186164a66a0215d5fce6c81c1e79fc70f4b5f51fe74173b5d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdata.reg

Filesize
184B

MD5
d56329f65bed14e25a409ac2cbf0844c

SHA1
470a491bd8e67dd97ad2676406de0d505de4dbcb

SHA256
24c40b8eb088fa67b17983e9aee2a865cbc0853129ed86bd2090d295aa90109f

SHA512
b04a0f1fb8b96d0baf6d5cb19130ef60a8c489bf50195fdc92684cf65f18f1627b5a1cddacdbbd29bed8642e8b8baa75b901636b4c3ab77e98269c3bcbfc5dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regedit.exe

Filesize
143KB

MD5
783afc80383c176b22dbf8333343992d

SHA1
8829b5a655b9d480d0d4a8ab4faf219c89368ac1

SHA256
694590952296bd3127823fa36da6d6401e1c8772473d9f7c719548330dd5f138

SHA512
b6fb2759d7ad3d29442d88e09ba16b61adb50571fd86cea9f31be096348f2df5c1d31390d2b461fbee80fbe161580213cb95365d9ad8b482a70cf2ab6691a482

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
20KB

MD5
d8054916eefcd90e09891909b268fe6f

SHA1
a212481d5997005fbc675bff782de2ac894e8b37

SHA256
1f2afd2aaafe41c915dce6ecff223cb48d14e4c323af9e64d2e1b151eb93d2af

SHA512
6233f4183617d1d1f3d13bbd56b8fad96184215e2261fc4763fc4c3c62da5e763e5187a4f4ff6325efa682816c035b2abdc2108a051f3418c0d304e1206d5241

Download Submit
memory/780-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/780-20-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1904-25-0x00000000021B0000-0x00000000021BC000-memory.dmp

Filesize
48KB

Download
memory/1904-27-0x00000000021B0000-0x00000000021BC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads