203c04461f229a0f0acf628c644a588b462d7de683f0086154ebd57b6b0e5b49

General

Target

6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
Size

593KB
MD5

6282fe5a6419462915a66eb2999dfd2a
SHA1

077c0ccb181bb1f767dc3960aa571016e25dfa75
SHA256

203c04461f229a0f0acf628c644a588b462d7de683f0086154ebd57b6b0e5b49
SHA512

03ec34262d5060e48cb627b586a047f463b54cad74a80a64bca58ee2a91729f2bf4e62a4dba6964a52b76352d4482992ea3163b05e56f62508c4a7c59ec7de3b
SSDEEP

12288:GpyuQvBorRimccTxKosx4UwuNjdRLB+9lf76GGsV3ReLiKzgqR:GpyubrRimjsxouBzLAPfZn3g2KzgqR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4536	2815.exe
4236	WinXPs.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\2815.exe	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WinXPs.com	2815.exe
File opened for modification	C:\Windows\WinXPs.com	2815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3776	4536	WerFault.exe	87
396	4236	WerFault.exe	91

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WinXPs.com
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WinXPs.com
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WinXPs.com
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WinXPs.com
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WinXPs.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	2815.exe
Token: SeDebugPrivilege	4236	WinXPs.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4236	WinXPs.com

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4536	2156	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	87
PID 2156 wrote to memory of 4536	2156	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	87
PID 2156 wrote to memory of 4536	2156	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	87
PID 4236 wrote to memory of 5108	4236	WinXPs.com	94
PID 4236 wrote to memory of 5108	4236	WinXPs.com	94
PID 4236 wrote to memory of 5108	4236	WinXPs.com	94

C:\Users\Admin\AppData\Local\Temp\6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\2815.exe
  "C:\Windows\System32\2815.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 516
    3⤵
    - Program crash
    PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4536 -ip 4536
1⤵
PID:2220

C:\Windows\WinXPs.com
C:\Windows\WinXPs.com
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 516
  2⤵
  - Program crash
  PID:396
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4236 -ip 4236
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\2815.exe

Filesize
297KB

MD5
5f508dea688139638c9a73dd03b580eb

SHA1
7a16b6dbb81af07378cd568ace3af897b397410a

SHA256
ddd9676f893da8eb1c0570c094e94bc3cad4e35e9c519cc3a95c46811c7bb703

SHA512
da517ca4fbce3d655ebdad8fc7f4cc54100d58e5cb4efefd91647734c2af719a83326c7794c6cf3d177f92406c6c3a46d58151fdc14637126bb7698c7b3e96d9

Download Submit
memory/2156-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4236-19-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4236-20-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4236-22-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download
memory/4236-24-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4236-25-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4236-28-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download
memory/4536-11-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download
memory/4536-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4536-16-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4536-21-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing