122e0727a8fa54dd69820b8262754c2125c3d4e2458fd71bc4413743a7b71662

Reason

Machine shutdown

General

Target

77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe
Size

20KB
MD5

77c5926ee5d55e427ef100d9861f784c
SHA1

e3c112a4a2217d0efb836de73f067442a4f40967
SHA256

122e0727a8fa54dd69820b8262754c2125c3d4e2458fd71bc4413743a7b71662
SHA512

cf7ea7567524a0c26b51125ab52dae2c3c057d8320783b871185ab07760eb867a5f175d224b90f00a736298dcb35621e58a3715f7da114bfb2b9fef7884ad5ff
SSDEEP

96:etJE33kf8J4UncxuWqCYqBddnl9SEvVc4MV9yVmEi2:KwPdIqeBR99rS9yPi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3856	3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe	84
PID 3512 wrote to memory of 3856	3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe	84
PID 3512 wrote to memory of 3856	3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe	84
PID 3512 wrote to memory of 2476	3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe	86
PID 3512 wrote to memory of 2476	3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe	86
PID 3512 wrote to memory of 2476	3512	77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe	86
PID 3856 wrote to memory of 2996	3856	cmd.exe	88
PID 3856 wrote to memory of 2996	3856	cmd.exe	88
PID 3856 wrote to memory of 2996	3856	cmd.exe	88
PID 2476 wrote to memory of 4012	2476	cmd.exe	90
PID 2476 wrote to memory of 4012	2476	cmd.exe	90
PID 2476 wrote to memory of 4012	2476	cmd.exe	90
PID 2996 wrote to memory of 3584	2996	net.exe	89
PID 2996 wrote to memory of 3584	2996	net.exe	89
PID 2996 wrote to memory of 3584	2996	net.exe	89
PID 4012 wrote to memory of 536	4012	net.exe	91
PID 4012 wrote to memory of 536	4012	net.exe	91
PID 4012 wrote to memory of 536	4012	net.exe	91

C:\Users\Admin\AppData\Local\Temp\77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77c5926ee5d55e427ef100d9861f784c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop KAVStart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\net.exe
    net stop KAVStart
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KAVStart
      4⤵
      System Location Discovery: System Language Discovery
      PID:536

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1B3AC026A2736CFD21E4D4EAA3936D6E; domain=.bing.com; expires=Sun, 24-Aug-2025 08:21:40 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F4D66459E7FB4E919C51DFF91F130C3C Ref B: LON04EDGE1007 Ref C: 2024-07-30T08:21:40Z
date: Tue, 30 Jul 2024 08:21:40 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B3AC026A2736CFD21E4D4EAA3936D6E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=1R9Xkkrfz2SFzD9DOBYCQLh0gW7VWxUA70SdFCgl6I8; domain=.bing.com; expires=Sun, 24-Aug-2025 08:21:41 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F46DD18B972D49F0894AEE6477A8CADE Ref B: LON04EDGE1007 Ref C: 2024-07-30T08:21:41Z
date: Tue, 30 Jul 2024 08:21:40 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B3AC026A2736CFD21E4D4EAA3936D6E; MSPTC=1R9Xkkrfz2SFzD9DOBYCQLh0gW7VWxUA70SdFCgl6I8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5CF7055B95FA44F088EDF9873B1F157E Ref B: LON04EDGE1007 Ref C: 2024-07-30T08:21:41Z
date: Tue, 30 Jul 2024 08:21:40 GMT
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

tls, http2

2.4kB
9.2kB
20
15

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d37260a5eb1e428e9ce859bc2b1ad6f4&localId=w:BC80AFB7-E6E1-07B6-705F-E96FCE29F2A7&deviceId=6755468454491161&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.