3a1cd071e24726e2b14edc1a55964e48986dc80c71b346815d38f1d132086456

General

Target

640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
Size

8KB
MD5

640f35ee88c5b979a7a78814c067ff0a
SHA1

0e30f5c203afcaf6753390bfe303e9a050138e62
SHA256

3a1cd071e24726e2b14edc1a55964e48986dc80c71b346815d38f1d132086456
SHA512

d06451d2756527892f951f82176327174b912d751871581af8728ec47a0d239a78bba07748808ff9047a21d8642f3662cf43dc7580425b0d9c85c2dd069cf621
SSDEEP

192:9bElpZHUjkkdPBGz1ul1NWJFaNJhLkwcud2DH9VwGfct8uH:9bEpRakWPBGZul1OaNJawcudoD7UWQ

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1108	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2828-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2828-12-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1108	2828	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	84
PID 2828 wrote to memory of 1108	2828	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	84
PID 2828 wrote to memory of 1108	2828	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	84
PID 1108 wrote to memory of 3380	1108	b2e.exe	85
PID 1108 wrote to memory of 3380	1108	b2e.exe	85
PID 1108 wrote to memory of 3380	1108	b2e.exe	85
PID 3380 wrote to memory of 3616	3380	cmd.exe	89
PID 3380 wrote to memory of 3616	3380	cmd.exe	89
PID 3380 wrote to memory of 3616	3380	cmd.exe	89
PID 3380 wrote to memory of 3412	3380	cmd.exe	97
PID 3380 wrote to memory of 3412	3380	cmd.exe	97
PID 3380 wrote to memory of 3412	3380	cmd.exe	97
PID 1108 wrote to memory of 2972	1108	b2e.exe	100
PID 1108 wrote to memory of 2972	1108	b2e.exe	100
PID 1108 wrote to memory of 2972	1108	b2e.exe	100

C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat" "
    3⤵
    - Checks computer location settings
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe

Filesize
10KB

MD5
667b775061f480e6922d654e64f483d4

SHA1
02521f0db9dfc6755869db30d0368cf3b1f6c78d

SHA256
dc4c07ba975b890305d7b767c0e2467c36dfedaec6f14c2ec0653e8f2ee49fa9

SHA512
2743e7e434cf54ba049e8c7358c86103ec39e0d1dbce4025359bd002811be2a8d0b5538b5d110a28710814582f7a4ea31759d52faaa0e379d7a3f1bd3e315f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat

Filesize
1KB

MD5
0bfac90c179b2b0eb14241768b091e03

SHA1
c23382a5c5e6d11ad41fd6819ba2093d3c9db099

SHA256
c4b4faaf650530b390850356f1af0fca6359357ac48b40f46ca0ac436325f04d

SHA512
ed3f750da2d95925b96a623431dd9d40e2cb9229093cd3b008cd56fc3e64741b8d58123af026f9b0a7058947f612dc52b4b9654f470fd9223b6c8df8b3ba5c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
53B

MD5
ca0f2398bd2826a29c3f75bddde54891

SHA1
3d58403d49335187a332cc8de1f7db0e1f4a4937

SHA256
ffbfa4f17d477d877a5fbe259b4b427677006ff3a28df0d7ed6729dd7fea7922

SHA512
3910e7af69b8bb0c464b99e6c987b2612f809e08963fd74441dc86d362d671769a4c5e87e41dd64d7de89e92ce1ca1ccf0cb458036e1094d0dd8f7a609039b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
60B

MD5
46fad2ab21d05db03903ec01dfadd348

SHA1
80a904f97f2b8dafe26a5ded341dc3c8895563e4

SHA256
d1808d53224d50d790878bf1b3504fa57c153082c16c8481c7fd05c878923d00

SHA512
7fd1bbf4d858b59ecd39bee4756201e81df2abfe108d4edd54110e180c736067644f25ae5b428afa2cf3779e9ced2ea86cedf2ee068994348357464cfe14c63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
2f3c92a8a657dd4d67e08feffeb2981c

SHA1
4d7ebf5618e9d6bf95ebaf7ee3f1c279fca9ffa1

SHA256
a08b791ec12fbeaeb711f2b50c495ab7251103852bbe1178cf9af6b7271a3900

SHA512
e159bc1db27e673058b547dbb2988132b402da6cbb0e09a804591eddc10509335c2edbf74e708500bb83eb7afb642e9a281f345f73b74daa94e0f6cdb8fd0623

Download Submit
memory/1108-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1108-29-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2828-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2828-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads