5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995

General

Target

601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
Size

824KB
MD5

601eac781876bbe44d59f1cd2e6f38b0
SHA1

d4467be6a1db3962cf9287d27245ec7ae03641f3
SHA256

5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995
SHA512

3b46e954a871852f9f124bebffeef9d46616e7f463fd54675fbf256f11853c056acb7fa1f291667bd528d899aeb0c271fa2a8397dd5ab66a20a620cda0804232
SSDEEP

24576:f2O/GlKzBmrxcuUoXJ4yzwmxhKbH3rUO46GnZp0:c+yCSwmxUT3ivZp0

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2000	fke.exe
756	fke.exe
404	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\fke.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\LEL_VC~1"	fke.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 756 set thread context of 404	756	fke.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4420	404	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	fke.exe
2000	fke.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2000	1380	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	87
PID 1380 wrote to memory of 2000	1380	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	87
PID 1380 wrote to memory of 2000	1380	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	87
PID 2000 wrote to memory of 756	2000	fke.exe	89
PID 2000 wrote to memory of 756	2000	fke.exe	89
PID 2000 wrote to memory of 756	2000	fke.exe	89
PID 756 wrote to memory of 404	756	fke.exe	90
PID 756 wrote to memory of 404	756	fke.exe	90
PID 756 wrote to memory of 404	756	fke.exe	90
PID 756 wrote to memory of 404	756	fke.exe	90

C:\Users\Admin\AppData\Local\Temp\601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
  "C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe" lel=vcc
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
    C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe C:\Users\Admin\AppData\Local\Temp\81913139\CPOMC
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      PID:404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 80
        5⤵
        Program crash
        
        PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 404 -ip 404
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81913139\BorderConstants.docx

Filesize
133B

MD5
88e49f064d3a64a665d1aacec00412f4

SHA1
452ed82da9ba84aeab1a769234c44322106dda43

SHA256
ff35a9dec7311443eb46f398c4a1ae5b7e1e0d461783e07cec082384bf17958b

SHA512
953019ebe9f69e5e1c2468b364c373059f5ee0b738e22a20d5e77fc17882679622eca9cd5c040b04a5183e192cbe39898d89ec712bc8b3ddc0f1fddcab517cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\CPOMC

Filesize
87KB

MD5
f619d1c321f994280318e4899808f579

SHA1
966c6c06a68c53bb21cebd289cc50de7e88dfd7b

SHA256
f933a5a03de01e9a488c4cb71285bee17baba1a0684d08ce49094ae01cfd2c96

SHA512
8aa70b965fc37292aba22e452dca20291cde7ca71cf791214bbc534da8f003fd282ab50c7ffba7c3a631bdb2358a1948a2de65ae31bca36405415e18b7d6a75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\TreeViewConstants.mp4

Filesize
36B

MD5
ca93714441a8d3ef16a7774a3298074c

SHA1
5140b2d0a3a2c36f9ec413cad1ae614fc56d977d

SHA256
9afbd1a569a66aaea4429582a0e9f795ccaec874c9a98b75de620b825db1eba7

SHA512
425e85387f51334eca6f997b041c49ffb1977f19a87704a6336ec2c3350418e9f64158f0f4e495b21ec06a46d6e3381a38071e525f4c5332c0ac0714db02afa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fxl.xl

Filesize
491KB

MD5
462f4d1de916f644cdb5ea29c8c51f8f

SHA1
7ac2072c4e3d9ad0b8d2336dd3c52eb48ff93a00

SHA256
02b3a0ccc1716ca0d5be2dff72e715f80bff2fbb11784bdf44449746bb37884b

SHA512
b63dca754b19c080825e55a76e46d753f0207595e3a0c20aace55b86e63c1501002ca3ee78c3c9c2821c6b7b8f0eb570acb1ea4d65a73d203f1229a7edbd175c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\lel=vcc

Filesize
303KB

MD5
b9dd6356f3e9b1281d047ab42650944a

SHA1
15765fee1d0ba347e13037bdac59e7a684ba2be8

SHA256
46df4ccddef86332d56ae5cac26dccac4fc3fb84cbc8a9d297dbacf79af04ce7

SHA512
cdde822cfa1d736409d23b374932adc3bbbe02a060ba9496d8f97b3a7027e19a0f714d138dcea2594a95d1884325f3fae228c598520173ccc3d5843a8b29c956

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads