bbbe8222197b8b0d145cb9f4083a4c97befc28a0c2ec33e6c34bbe5bfa557fe4

General

Target

63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
Size

5.4MB
MD5

63428f59e2a6751f317b9b47ab562048
SHA1

2be7ec4d73f12eec242f30eb61a3e3838c577130
SHA256

bbbe8222197b8b0d145cb9f4083a4c97befc28a0c2ec33e6c34bbe5bfa557fe4
SHA512

4b521d972694e7d597bba0308f869017ae810be8456d6f511f3f27a43a5409ae33155e1e8c30aec78a04d69f4b4074b1e4244565fa9918c4ba30f0f1c31f0c2f
SSDEEP

98304:qxmIY25JAmfnpZCMCxUd0nPrXpHzgyf5rpPniqY2DHDoLcKMmXec//////p:VIYsJAKZBoHxBiT2DHDoI9mXn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	is-R17S2.tmp

Executes dropped EXE 3 IoCs

pid	Process
2248	agogodvd2blackberry.exe
1236	is-R17S2.tmp
1352	crverify.exe

Loads dropped DLL 42 IoCs

pid	Process
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
1352	crverify.exe
1236	is-R17S2.tmp
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1352	crverify.exe
1352	crverify.exe
1352	crverify.exe
1352	crverify.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1352	crverify.exe
1352	crverify.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 2248	4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	84
PID 4184 wrote to memory of 2248	4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	84
PID 4184 wrote to memory of 2248	4184	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	84
PID 2248 wrote to memory of 1236	2248	agogodvd2blackberry.exe	85
PID 2248 wrote to memory of 1236	2248	agogodvd2blackberry.exe	85
PID 2248 wrote to memory of 1236	2248	agogodvd2blackberry.exe	85
PID 1236 wrote to memory of 1352	1236	is-R17S2.tmp	89
PID 1236 wrote to memory of 1352	1236	is-R17S2.tmp	89
PID 1236 wrote to memory of 1352	1236	is-R17S2.tmp	89

C:\Users\Admin\AppData\Local\Temp\63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe
  C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\is-JUJ41.tmp\is-R17S2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JUJ41.tmp\is-R17S2.tmp" /SL4 $7004A "C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe" 5198450 65536
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\is-VPJF1.tmp\crverify.exe
      "C:\Users\Admin\AppData\Local\Temp\is-VPJF1.tmp\crverify.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSMA3E1.tmp

Filesize
156KB

MD5
c30ad91fe7b1e7acaf391f4a66af6f06

SHA1
693467a271674cc45ea11bc805f66401fd04959a

SHA256
f0341a98b30386571ca83b24dac64534619727e13271a50a3d23f5287a3a3dcb

SHA512
f1ee9a93748b8dead511e6490b3752429fa8fb78987cd273b51379a5f021b0c917b514c4f8c0da6543efbf8637736043fb8d4e05fc3727165183ab6cec790e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe

Filesize
5.3MB

MD5
cf4326ef8d06a4603f7f8d9bd931c29a

SHA1
e6aea6adaf07db241040318b6a79d52d41ba98a7

SHA256
eb24226595ae46a1b2811f8aba56c03a2271bc9be782ed7d52076df970922b9a

SHA512
290d73e5d9781d44c179d12dd79dc16c2eb60daed57d9caea716d2244accff2c0cb257cde08071d654f9cef8c21dc0c0f36f463ee9bfdc83a3d2fb1df4cae40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUJ41.tmp\is-R17S2.tmp

Filesize
668KB

MD5
9920812796e6f8edf43e0aa79473bc86

SHA1
90d345a34ba5a7b582f1c9e6e23f7693fc7adcee

SHA256
66cf626ed02d471934f2a764a0882965689239ea3760294366966193f110398d

SHA512
ca73cbf8b0ae1ab6613335159e5bc82af680cdadfb3ae1f36376f720c23d2b8af774173419b33b0489fddd01a0629cad1df3784a24ce86483fe177c581fab052

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VPJF1.tmp\crverify.exe

Filesize
240KB

MD5
b42a69da9a633d4625c8d8edf3519acf

SHA1
55dfe024a3a2bd173eff363161ed641551c0b911

SHA256
4a1748e4a21f361b6e8b9f6eca004b80e67b4c3f5c91e9459281714eec543a7b

SHA512
5411ff03c0682d2d4e43f57d0106f010a147b4ed16bdff56b46e6853430a3a3811bd90acca9c24fcb98b4fe6c8aad2845d31b5753d19e8423acfe324e38c8413

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9E93.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9E93.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/1236-69-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1236-87-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1236-198-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1236-200-0x0000000077540000-0x0000000077564000-memory.dmp

Filesize
144KB

Download
memory/1236-199-0x0000000076AE0000-0x0000000076C80000-memory.dmp

Filesize
1.6MB

Download
memory/2248-23-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2248-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2248-197-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4184-151-0x00000000022A0000-0x00000000022C7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing