e11ea56696aee36f40a7c0bd488e312c98ffdcb1f2d69ae0b567d3137c500211

General

Target

61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe
Size

1.8MB
MD5

61bd7ba17214e93a5254253f89d92c0e
SHA1

06997b41f31cefb98b9fe27cfa5d08d3501ee925
SHA256

e11ea56696aee36f40a7c0bd488e312c98ffdcb1f2d69ae0b567d3137c500211
SHA512

102ae3a96d4d058ebfe7fee35d1341aedf2cbe1bd07d6cc14fe36849f47ca80a033c3886ab92829d2b72794f0e028a31d3a2b2cccbfe744e7b3ad2c3f47f8871
SSDEEP

24576:0WgxYrrlOhjRQAp5TwQtdAlw0aB29N41WEVSZVs3n8QHw5AL:0WzARd9tdAlw0aB29N41WcSZW38qL

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4356	isass.exe
2732	pB0T.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isass.exe = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\" /background"	isass.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	pB0T.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 4356	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	87
PID 1788 wrote to memory of 2732	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	88
PID 1788 wrote to memory of 2732	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	88
PID 1788 wrote to memory of 2732	1788	61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61bd7ba17214e93a5254253f89d92c0e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\isass.exe
  "C:\Users\Admin\AppData\Local\isass.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4356
- C:\Users\Admin\AppData\Local\pB0T.exe
  "C:\Users\Admin\AppData\Local\pB0T.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\isass.exe

Filesize
1.8MB

MD5
61bd7ba17214e93a5254253f89d92c0e

SHA1
06997b41f31cefb98b9fe27cfa5d08d3501ee925

SHA256
e11ea56696aee36f40a7c0bd488e312c98ffdcb1f2d69ae0b567d3137c500211

SHA512
102ae3a96d4d058ebfe7fee35d1341aedf2cbe1bd07d6cc14fe36849f47ca80a033c3886ab92829d2b72794f0e028a31d3a2b2cccbfe744e7b3ad2c3f47f8871

Download Submit
C:\Users\Admin\AppData\Local\pB0T.exe

Filesize
852KB

MD5
b551c9565a4fb8aa0038c11d54d08d25

SHA1
b2fc2103c79cbb5601c9bd49aca66f7183103aea

SHA256
ff878d602805191fda1da9cfc44ce72af0d11e027acd8e46f6ec20e7af5dd1ec

SHA512
17f586068a88b5e6fd6c4f6f5a4332b6580f8d8af45592556bc9bc8193a4340c3f03ddc199871d7976fb15d43c90279f00981d51ed71d3af91ecc18da71ccafe

Download Submit
memory/1788-0-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1788-66-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4356-47-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-51-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-49-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-45-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-43-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-41-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-53-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-21-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-19-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-17-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-8-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-6-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-4-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-10-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-54-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4356-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-3-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads