0ff456077cf66d20ef08d5bcd810d6a16f68bdcbcd909a6721672cde5c4a0070

General

Target

69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
Size

77KB
MD5

69e1e9e431b2759be7bdd668268dfe78
SHA1

da6c6b7b46f17511cdfa6fff6a4e6a41afe65940
SHA256

0ff456077cf66d20ef08d5bcd810d6a16f68bdcbcd909a6721672cde5c4a0070
SHA512

b1762f5bd9267436c012e894d296835bac64b4dd59554270383039fa56cd947ed7d619103e5b1d16eb3c4e4d21a80aa34ee2361d777f402a93df736ee7a14bf8
SSDEEP

1536:uw4zKFY6bW9RX4jIRblotNxSXxRMrUOCA1BF02k+GP7xzeyhAOulU:uw4zKFY6qXuIRcNgwLzF1k1P7xzeVOum

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1764	morgmgr.exe
3020	morgmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\morgmgr = "C:\\Windows\\system32\\morgmgr.exe"	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\morgmgr.exe	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\morgmgr.exe	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 1764 set thread context of 3020	1764	morgmgr.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	morgmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	morgmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4812	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
3020	morgmgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4392 wrote to memory of 4812	4392	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	84
PID 4812 wrote to memory of 656	4812	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	87
PID 4812 wrote to memory of 656	4812	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	87
PID 4812 wrote to memory of 656	4812	69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe	87
PID 656 wrote to memory of 1764	656	cmd.exe	89
PID 656 wrote to memory of 1764	656	cmd.exe	89
PID 656 wrote to memory of 1764	656	cmd.exe	89
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91
PID 1764 wrote to memory of 3020	1764	morgmgr.exe	91

C:\Users\Admin\AppData\Local\Temp\69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.bat" 0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\SysWOW64\morgmgr.exe
      C:\Windows\system32\morgmgr.exe /B
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\morgmgr.exe
        
        C:\Windows\SysWOW64\morgmgr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69e1e9e431b2759be7bdd668268dfe78_JaffaCakes118.bat

Filesize
348B

MD5
481e8e8def7d977bc6db4b154a52fb2e

SHA1
f68e956156b9a4e944e564241fa2d39d6ecbc3e9

SHA256
84ddbcf06ccc0da88941825e9613383ddf33b5017588d742a0cfb9322604ef7e

SHA512
101e64b429a6c5b5e5338e433462a7bd8a14840d9a92de823c23e530180760ddda756cee6c7f5413e5582c5b4b1afa4775ca830da781316db28d58789906d119

Download Submit
C:\Windows\SysWOW64\morgmgr.exe

Filesize
77KB

MD5
69e1e9e431b2759be7bdd668268dfe78

SHA1
da6c6b7b46f17511cdfa6fff6a4e6a41afe65940

SHA256
0ff456077cf66d20ef08d5bcd810d6a16f68bdcbcd909a6721672cde5c4a0070

SHA512
b1762f5bd9267436c012e894d296835bac64b4dd59554270383039fa56cd947ed7d619103e5b1d16eb3c4e4d21a80aa34ee2361d777f402a93df736ee7a14bf8

Download Submit
memory/1764-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3020-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4392-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4812-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4812-3-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4812-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads