525d10cdb850eec48d493440924e00fea92722bfb3f8ccb34e2c3bac768d76ab

General

Target

8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe
Size

2.0MB
MD5

8803b11dfdd25468983d1d2f9ff97f14
SHA1

ddbfe075d202f0eb40643fc989258f06e0a4ee0f
SHA256

525d10cdb850eec48d493440924e00fea92722bfb3f8ccb34e2c3bac768d76ab
SHA512

017ead1ddc34515c9fe67a7ac4aa8da142f12c2453c8af0aa52604b893bc8379d77acba7457bd42159707d06a01b8b297b08ffac325eddef2e8ff88b246c4382
SSDEEP

49152:DyqU/32OZXgeL+9yX9MyJiCkFhSp1BRjbzQh7LHQjr//Wk:DkRX+cXF/jXBNbG7Lwd

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	temp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	filesystemscan.exe

Executes dropped EXE 3 IoCs

pid	Process
2760	temp.exe
2060	filesystemscan.exe
228	Protector-qhp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filesystemscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Protector-qhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	filesystemscan.exe
228	Protector-qhp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2760	3056	8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe	86
PID 3056 wrote to memory of 2760	3056	8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe	86
PID 3056 wrote to memory of 2760	3056	8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe	86
PID 2760 wrote to memory of 2060	2760	temp.exe	88
PID 2760 wrote to memory of 2060	2760	temp.exe	88
PID 2760 wrote to memory of 2060	2760	temp.exe	88
PID 2060 wrote to memory of 228	2060	filesystemscan.exe	89
PID 2060 wrote to memory of 228	2060	filesystemscan.exe	89
PID 2060 wrote to memory of 228	2060	filesystemscan.exe	89
PID 2060 wrote to memory of 4248	2060	filesystemscan.exe	90
PID 2060 wrote to memory of 4248	2060	filesystemscan.exe	90
PID 2060 wrote to memory of 4248	2060	filesystemscan.exe	90

C:\Users\Admin\AppData\Local\Temp\8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8803b11dfdd25468983d1d2f9ff97f14_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\temp.exe" -e -p1331792007
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\filesystemscan.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filesystemscan.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Protector-qhp.exe
      C:\Users\Admin\AppData\Local\Protector-qhp.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:228
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FILESY~1.EXE" >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\filesystemscan.exe

Filesize
1.9MB

MD5
65a93cb59b089bd678ab56b60fb7a060

SHA1
5bf9efe4df77c1838fd8d39bf8bc1fa1b63c2a2b

SHA256
830f016b394d0ff5e80e510fa7f17e9622287a276ad9dcf58b25f3dc57992922

SHA512
40869f6aba6def8accb54b602f92e9d9cb61a721d5225126ef6bba8f057642cfcf834c2a835781bffe13bcdc2e305f9b31cbe000e89d9a3314116fdc2e4e67fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\temp.exe

Filesize
1.9MB

MD5
af211d2b578be48a9ff226c00d53e9f6

SHA1
02247608e3dcd6fc6e5fc3b78d086ad60ab4e6f9

SHA256
ec75dc6b3fdc9c91e24ec89d6fdd066aefe6319cb967f06e25a2816ec5a8e5b5

SHA512
46af84cb4bed22e5383ea9db34f872547bbc2d5d99a0c4c1a029a8160b0fefb6fcecd2264b1ff918f7910b949e8c256c7d6581f154e7167446a19149d08c2012

Download Submit
memory/228-26-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/228-30-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/2060-21-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/2060-28-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing