c79a261b857b6139662023863d2f65f39f0e13720ffe557d410471565b6407a0

General

Target

72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
Size

2.6MB
MD5

72e36e34a1f4e269d07d108d82bdf2a0
SHA1

89b371c36fe9738362ee2d0cc104fdb202314826
SHA256

c79a261b857b6139662023863d2f65f39f0e13720ffe557d410471565b6407a0
SHA512

f333b741fd2e3b773afb6b5c2de91854f58cd439602264e7c197eaac074e5063e42b1c86e98e266fd0d46de410862087d788e834776ad2dcc567b9647a67e624
SSDEEP

49152:1voJUoKj1+9KXy+GxnekmZkEMbdUaKLBOihl/3p0842/YKEkpEQ3:1vol84oIepkEMZ4cQl/3p0epN

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zarchive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	zarchive.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1936	cwd.exe
4144	zarchive.exe
3976	zarchive.exe

Loads dropped DLL 7 IoCs

pid	Process
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2204	3976	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zarchive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zarchive.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\59B0CDBCE5A38D97DBED9920A83EE750CB1833F1	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\59B0CDBCE5A38D97DBED9920A83EE750CB1833F1\Blob = 03000000010000001400000059b0cdbce5a38d97dbed9920a83ee750cb1833f12000000001000000190200003082021530820182a00302010202101ef8847394c524a24bde31b3e6def2d7300906052b0e03021d0500301a311830160603550403130f4f7265676f6e61536f667477617265301e170d3131313132383038323931365a170d3339313233313233353935395a301a311830160603550403130f4f7265676f6e61536f66747761726530819f300d06092a864886f70d010101050003818d0030818902818100ddc5b69f7f06dd8db5ef3e29a8c39073aabb7d93f125f3bccf9134d0c7b138a838519c4e8f0679dbe59e3d95e18e0b25a9da84fafeea79a56489b33e0b59b5e39b39a767c6929468fca6e62e8e78f853319d809f7d5d23877e88de6310c9c5bd1fcdb7be5453aff4891a04a3f9b5bd0dbbc9b21a6b1cb77b6421c8c8265ab0090203010001a364306230130603551d25040c300a06082b06010505070303304b0603551d0104443042801094c3deb42ea2c46deb625ddead97e3b9a11c301a311830160603550403130f4f7265676f6e61536f66747761726582101ef8847394c524a24bde31b3e6def2d7300906052b0e03021d05000381810071aa5324c2018d4645d16344cf75359e75f69bb758ac5c0a56edd9ad606614449b9df0bbbf10a08b914deb39cd742fca3e907f8d08109510e68277c2951e2865331f011ba3d1901782c22b67b8ac6eee2a9187a18fed74b725ad98083b2e37c1bd2a193d932d35bc9166041dd933b19ad03fe850f102c27b6670452121303ba7	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1936	3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe	87
PID 3004 wrote to memory of 1936	3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe	87
PID 3004 wrote to memory of 1936	3004	72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe	87
PID 1936 wrote to memory of 4144	1936	cwd.exe	89
PID 1936 wrote to memory of 4144	1936	cwd.exe	89
PID 1936 wrote to memory of 4144	1936	cwd.exe	89
PID 4144 wrote to memory of 3976	4144	zarchive.exe	90
PID 4144 wrote to memory of 3976	4144	zarchive.exe	90
PID 4144 wrote to memory of 3976	4144	zarchive.exe	90

C:\Users\Admin\AppData\Local\Temp\72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72e36e34a1f4e269d07d108d82bdf2a0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\zarchive\cwd.exe
  "C:\Users\Admin\AppData\Roaming\zarchive\cwd.exe" /q /c start /b /d "C:\Users\Admin\AppData\Roaming\zarchive" zarchive.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Roaming\zarchive\zarchive.exe
    zarchive.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Roaming\zarchive\zarchive.exe
      zarchive.exe
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1040
        5⤵
        Program crash
        
        PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3976 -ip 3976
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp\System.dll

Filesize
10KB

MD5
cb589d300ffc4e38183880a476eb5aee

SHA1
3c7828ebabbd53305ca7dead9d75858a87cfaf71

SHA256
b40bf86e3522e4504dca095721040d1b143438076a5d299210b654f38f86aabf

SHA512
c3b453c997a8a9fecb2decfe65bdc2810e79ac81b7e9dfa960c05efecd3016fe8f3f20e06b49abdc4112f8e948856ea0fbaccd2c8f5e45f03242d839ccb1cd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp\VPatch.dll

Filesize
7KB

MD5
b2a8be8de58cf1273d0992fd5da7cb2f

SHA1
af4fa16c2bc91a91b72de0e636dafcdc2f894044

SHA256
6b161a1e90516f1f53e69aec387b5f59b2bdedf19cb4eee6f7ade2e82c0a7173

SHA512
b1b0bd40d26d581a0056cc4cece07a929d28e831209017ee3ebfc3d429409842ef3720c0b6ebbd26966e7d647a8da389e317e1152041ca5a0dc78528d733c151

Download Submit
C:\Users\Admin\AppData\Roaming\zarchive\cwd.exe

Filesize
386KB

MD5
53aeeaf4e7f12b8e91b3a474cafb4115

SHA1
b90f3887c035b47fde7280bcec91ce273fbc8f7f

SHA256
c95c0dcebfcb96020248be1dbe04752acdca6971ed81b308dba302b713882d29

SHA512
6ef041f581046dddc58608c9a8ff800eaf4355328ec5132ecc1345fdfbae97b04a88f2b4ab26989a33c4bf2e24f81cb0b9339a58d4e54f6831dd5cab78f42fc1

Download Submit
C:\Users\Admin\AppData\Roaming\zarchive\zarchive.exe

Filesize
1.2MB

MD5
61cb6e69204243334d35904508900c11

SHA1
6e4e580f018c169ce5cf7355e863ac36559fdf4d

SHA256
7bfd318a1c2aa5815f27ec63ce8dc7292c824d549a83c4ad6f5801b44e26e329

SHA512
0bcfab91cf9bbeaf0c37e3c44217e42e6bec049990d289bc75a8d422decb43d8e20f9bf08a827d127ac922de8291f369e00d8b741efe1014acf8ac9ae7f808ee

Download Submit
memory/3976-107-0x0000000002250000-0x0000000002355000-memory.dmp

Filesize
1.0MB

Download
memory/3976-101-0x0000000002250000-0x0000000002355000-memory.dmp

Filesize
1.0MB

Download
memory/3976-109-0x0000000002250000-0x0000000002355000-memory.dmp

Filesize
1.0MB

Download
memory/3976-110-0x0000000002250000-0x0000000002355000-memory.dmp

Filesize
1.0MB

Download
memory/3976-111-0x0000000000820000-0x00000000009E8000-memory.dmp

Filesize
1.8MB

Download
memory/4144-96-0x0000000000820000-0x00000000009E8000-memory.dmp

Filesize
1.8MB

Download
memory/4144-112-0x0000000000820000-0x00000000009E8000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads