d260877865ebd1bba5e3ff96cf6da98dc7fd1e2f2bb915fdcc1c0b5ad79b303d

General

Target

64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Size

241KB
MD5

64e77fea7691cb2b80e910c313d669a7
SHA1

578199a7e14949d7b7365f609075917099fab176
SHA256

d260877865ebd1bba5e3ff96cf6da98dc7fd1e2f2bb915fdcc1c0b5ad79b303d
SHA512

5058ed74b1acdfc987b2b8bd31e641affbbea5ea3b89cbf066d934e20d006d370bfddd2d489ed8a06ccd6bc3dbd51a1af1108529d468f4429873ffca02555c82
SSDEEP

6144:8+NB/XILQ09WilJK4yz57r5Z/xYpIAlVp/eoqzEDJRXL:dr/YNl+Z/xYpxTvqY7

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	Wcheck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	Wcheck32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Wcheck32.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	Wcheck32.exe
1880	Wcheck32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2028-0-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/files/0x000700000002349b-12.dat	upx
behavioral2/memory/2028-31-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/2660-32-0x0000000000400000-0x0000000000545000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Y634JqmzeIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\F86Fu3icbJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Y634JqmzeIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\F86Fu3icbJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Wcheck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Wcheck32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2660 set thread context of 1880	2660	Wcheck32.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2660	Wcheck32.exe
2660	Wcheck32.exe
2660	Wcheck32.exe
2660	Wcheck32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
804	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2660	Wcheck32.exe
1880	Wcheck32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 2028 wrote to memory of 804	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	87
PID 804 wrote to memory of 2660	804	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	88
PID 804 wrote to memory of 2660	804	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	88
PID 804 wrote to memory of 2660	804	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	88
PID 2028 wrote to memory of 3424	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	89
PID 2028 wrote to memory of 3424	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	89
PID 2028 wrote to memory of 3424	2028	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	89
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 1880	2660	Wcheck32.exe	91
PID 2660 wrote to memory of 2224	2660	Wcheck32.exe	92
PID 2660 wrote to memory of 2224	2660	Wcheck32.exe	92
PID 2660 wrote to memory of 2224	2660	Wcheck32.exe	92

C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe
    C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe
      "C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat" "
      4⤵
      PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat" "
  2⤵
  PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat

Filesize
217B

MD5
5fde17d4da319a119f808c17428ec4bc

SHA1
d2daf3f16ab9739e8f3683379842039dcfe3ac50

SHA256
05580cf2e2acb47c4f1d5ad80b52891c7fa653f2d4c871672ef2e662b68d8c09

SHA512
fef885038ae696cd955b745a6465fc9ad44479acb8d25436873fbfd48ca7d2dea22076db5b2cfbe4988be61a84abcaf2c293aaebf9e1409c817dfd8619630989

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat

Filesize
179B

MD5
7ff15068d3a319265d84eb524007c80f

SHA1
b4e4568000fb4aab910832065bc991f05d8d2b5b

SHA256
a7a110d053ae27e4cd7ae0642f0eb41de4fb98d26efe28c19aa9283d614b7a98

SHA512
f98dda2f84cf95b891b71e4d3310c6ac0a7fd63f22d3f5fbf2fb5058d84dd62d3410fb22ddb74fd3f10f3f2ce815d03eb0d15b02f6f079d88390b3f5fab846bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe

Filesize
241KB

MD5
64e77fea7691cb2b80e910c313d669a7

SHA1
578199a7e14949d7b7365f609075917099fab176

SHA256
d260877865ebd1bba5e3ff96cf6da98dc7fd1e2f2bb915fdcc1c0b5ad79b303d

SHA512
5058ed74b1acdfc987b2b8bd31e641affbbea5ea3b89cbf066d934e20d006d370bfddd2d489ed8a06ccd6bc3dbd51a1af1108529d468f4429873ffca02555c82

Download Submit
memory/804-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/804-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/804-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-37-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-46-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2028-0-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2028-31-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2660-32-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads