1142bcbeeeb5ce4b879668325b52eab179c96df41957c4f07cc44e3f32cf7cb0

General

Target

719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe
Size

122KB
MD5

719f5094aaca5d957107a206fcca0756
SHA1

a0785c5963b3eb071e389718ac4424ed23e068ef
SHA256

1142bcbeeeb5ce4b879668325b52eab179c96df41957c4f07cc44e3f32cf7cb0
SHA512

727e3c983c769ec73ffb0a5bee486fff28c6c8538a93abf945797a6ecfcc1423fbccc2c6d75509afc75177ea8d2991dc05a7a5c622dca07c157b98aa02e4d19a
SSDEEP

3072:c4bYK7lAvHQ+HglyitiC24ekdlzOnpYsHCWbNNZ:/55A/Qvl5YPclzOnpZdj

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	sys.exe

Executes dropped EXE 3 IoCs

pid	Process
2392	sys.exe
2868	wordpad.exe
672	host.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ias.dll	sys.exe
File created	C:\Windows\SysWOW64\12366-2651	host.exe
File created	C:\Windows\SysWOW64\wordpad.exe	sys.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\9848.tmp	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	wordpad.exe
2868	wordpad.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2392	636	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe	84
PID 636 wrote to memory of 2392	636	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe	84
PID 636 wrote to memory of 2392	636	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe	84
PID 2392 wrote to memory of 4928	2392	sys.exe	85
PID 2392 wrote to memory of 4928	2392	sys.exe	85
PID 2392 wrote to memory of 4928	2392	sys.exe	85
PID 2392 wrote to memory of 2868	2392	sys.exe	86
PID 2392 wrote to memory of 2868	2392	sys.exe	86
PID 2392 wrote to memory of 2868	2392	sys.exe	86
PID 636 wrote to memory of 672	636	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe	87
PID 636 wrote to memory of 672	636	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe	87
PID 636 wrote to memory of 672	636	719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\719f5094aaca5d957107a206fcca0756_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\sys.exe
  "C:\Users\Admin\AppData\Local\Temp\\sys.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\ias.dll",RundllInstallA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- - C:\Windows\SysWOW64\wordpad.exe
    C:\Windows\system32\wordpad.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\host.exe
  "C:\Users\Admin\AppData\Local\Temp\\host.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\host.exe

Filesize
67KB

MD5
9f0188d6fff2bd1165cc6f1a908e50be

SHA1
16bad77575637b72a29091d494385f912a7a9d9d

SHA256
1fcb4e3b00f58dda5efd2659143fb9ad337803d5e67d7e07310863f76e395802

SHA512
872e7d966ce5737b73642b08cb6e7dc84e6b4a39bc9d5fa28c8ba4e685a9151b0ced1cd8e65634be2dd160f29898fd8c7bb52239a810d343bccd905bc59edcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
60KB

MD5
37764d424236d94f1955ed19fb7394c3

SHA1
f4a01f90ce1fcde83c2916ffa0753d947b7a2c7b

SHA256
8747e3201acb309355070b1b49e23a717284ad2ed9ed01b5eaadccfee18b764e

SHA512
6123f37be37a73919ebcbed47151005960c1466395fa4a54aeba2a4f548025281765d63b2e6b84d5b197a9ad01c8647323767682e59561dca74b58a3d80414c7

Download Submit
C:\Windows\SysWOW64\wordpad.exe

Filesize
68KB

MD5
613b3aa501e628349a22b4c25d1a24a1

SHA1
e39068368766eacdf7bbd66c3fc878816228bb63

SHA256
6b9063a23a7fc9b0a05e9b9455462129e2c9bae40d83f6ccf033b694def09e70

SHA512
95c6883502ca2016b3fe4ca8a29ab44458624417efdabd7d589c04e5117a573672f8ede206d463695f2a34bb1e004549b5a8060c5fffead61824e5629566e341

Download Submit
memory/636-17-0x0000000000400000-0x000000000041E9E0-memory.dmp

Filesize
122KB

Download

Analysis

Sharing