aff15eb99f27e19ee41b2319bd9dd54593c0a721f768e1000d51ea9681ccd9e7

General

Target

7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
Size

640KB
MD5

7323830f605ae1bab569661866537cc7
SHA1

2f5c0a769f9c50741814d2612f6bd946d28f288c
SHA256

aff15eb99f27e19ee41b2319bd9dd54593c0a721f768e1000d51ea9681ccd9e7
SHA512

5784f277d41f40a6406a0859d016708ef8bee30f8fcbd06fba3f06831b4138872f026e0df7fad5b252a352f2b4f4b21d2d7f2713c279fa35f2619c553031ecbd
SSDEEP

12288:AoNAQqLew5SdDN2u/RCa7F804DevBjnWMOC6z9uoKPFwX3/zi2sV:AMPqh5SV8aRCeGPDatd0uoeFCm

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	240623954.exe

Executes dropped EXE 3 IoCs

pid	Process
696	240623953.exe
1488	240623954.exe
2940	tSfkTNduxrPpGPr.exe

Loads dropped DLL 2 IoCs

pid	Process
3768	rundll32.exe
2840	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skinaxijumaf = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\SWsp140.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tSfkTNduxrPpGPr.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tSfkTNduxrPpGPr.exe"	240623954.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tSfkTNduxrPpGPr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240623953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240623954.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1488	240623954.exe
1488	240623954.exe
1488	240623954.exe
1488	240623954.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
3768	rundll32.exe
3768	rundll32.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
3768	rundll32.exe
3768	rundll32.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
3768	rundll32.exe
3768	rundll32.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
3768	rundll32.exe
3768	rundll32.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
3768	rundll32.exe
3768	rundll32.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe
3768	rundll32.exe
3768	rundll32.exe
2940	tSfkTNduxrPpGPr.exe
2940	tSfkTNduxrPpGPr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	240623954.exe
2940	tSfkTNduxrPpGPr.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 696	5016	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	84
PID 5016 wrote to memory of 696	5016	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	84
PID 5016 wrote to memory of 696	5016	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	84
PID 5016 wrote to memory of 1488	5016	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	85
PID 5016 wrote to memory of 1488	5016	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	85
PID 5016 wrote to memory of 1488	5016	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	85
PID 696 wrote to memory of 3768	696	240623953.exe	86
PID 696 wrote to memory of 3768	696	240623953.exe	86
PID 696 wrote to memory of 3768	696	240623953.exe	86
PID 1488 wrote to memory of 2940	1488	240623954.exe	88
PID 1488 wrote to memory of 2940	1488	240623954.exe	88
PID 1488 wrote to memory of 2940	1488	240623954.exe	88
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 3768 wrote to memory of 2840	3768	rundll32.exe	100
PID 3768 wrote to memory of 2840	3768	rundll32.exe	100
PID 3768 wrote to memory of 2840	3768	rundll32.exe	100
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56
PID 2940 wrote to memory of 3548	2940	tSfkTNduxrPpGPr.exe	56

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	240623954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	240623954.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7323830f605ae1bab569661866537cc7_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\240623953.exe
    C:\Users\Admin\AppData\Local\240623953.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\SWsp140.dll",Startup
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe "C:\Users\Admin\AppData\Local\SWsp140.dll",iep
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
- - C:\Users\Admin\AppData\Local\240623954.exe
    C:\Users\Admin\AppData\Local\240623954.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\tSfkTNduxrPpGPr.exe
      "C:\Users\Admin\AppData\Local\Temp\tSfkTNduxrPpGPr.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\240623953.exe

Filesize
84KB

MD5
9be13472b00469318f78fd87df12c5e9

SHA1
fb9cd4b3410324ebff8a904914d295508960642b

SHA256
ccbb02fb38480f3386a5262cd7b8c1078e2684d9170cf2c6807b7c7b1d21fceb

SHA512
c0737e303d6a6811410b48e39fad1985f3a0061ecd554602551ee30c3bdaeb7393642916c891aeaa97bdc41ccfb45575a6e429819519ec326627c4b5c2b60707

Download Submit
C:\Users\Admin\AppData\Local\240623954.exe

Filesize
454KB

MD5
c35759b480d63c5d93ec40cc5c29e5bd

SHA1
476b0d71e11292a7f1afcf49a1501187eeb6aaea

SHA256
647ccf68ebc7861d4d4c07a40277d58d2a9b3b8d74c8908a80f021e700152d54

SHA512
e43636afca05f0ccd47c14f9cdfddf57bf2312b79c2a6ba79195b0b78182d885256f37c291d6f413ca88bcffda3ed39012215ee1ca6ae0c8212a1a36d1839a3e

Download Submit
C:\Users\Admin\AppData\Local\SWsp140.dll

Filesize
84KB

MD5
0f0d036741e8f62798fcd6843bfe55a4

SHA1
a1ef5f4141cf22a24aa14406095d9914a5356dbe

SHA256
d9c11aa00b60b4d4e892e8eaec4d00eaaf8e301bd6da0424a2fe6864c82e7235

SHA512
839870bb7a1fa3f876990614d3b797b6b3ef921a6f696bedee2597365b6ff6af1769c14c81209d90a4e0aedd0b62d2a92f7063adcbbc7faae71bc68aff13fdd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuAosUtWXEuPkAf.dll

Filesize
408KB

MD5
673c74e0a32c805899539d3003f563f3

SHA1
4a1a0b8f4060906dcc662d3dfa396bc8bb2b69c5

SHA256
9bc5032f5dad7bd44fa3d532007da4662533bec5beb6d3d4412db35f1eb2f266

SHA512
dde1191c031111959ee962d972126b21963f840a4c198c55d02218c012b89c9488182baca14253caf4d3d42826a3a157cf5ae75cc64a39cb5ba0f7763373db23

Download Submit
memory/696-41-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/696-13-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/696-12-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/696-11-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/696-42-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/696-37-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1488-17-0x00000000020D0000-0x0000000002140000-memory.dmp

Filesize
448KB

Download
memory/1488-21-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1488-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1488-35-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2840-56-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2940-39-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/3768-22-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/3768-38-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3768-20-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3768-46-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/3768-47-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/3768-52-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3768-62-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/5016-1-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/5016-2-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/5016-0-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads