903b8f25efa5c67dab601ea852fe5ae5724238845ad7a923ed1a4550a10f6a13

General

Target

872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
Size

440KB
MD5

872529dda3c8c6ba8430529ba2f24564
SHA1

8f4f056d3a4ba3eb50cb3a7eb7c2705ecd106a0c
SHA256

903b8f25efa5c67dab601ea852fe5ae5724238845ad7a923ed1a4550a10f6a13
SHA512

502ef80a3247b484298879187e33806ded1edf0ddbada5333b81a569c7b248c7d3e2163c83579f81adead1530d347f52703fcca4984d78c513ca3868050b45a2
SSDEEP

12288:Tn0e123y2c8+0eoktq+CAXD0Ed+z/woO:Tn0e12i2caIq+CAT0v0

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	dfrgsnapnt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgsnapnt.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfrgsnapnt.exe"	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfrgsnapnt.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe
1000	dfrgsnapnt.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1000	2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe	85
PID 2352 wrote to memory of 1000	2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe	85
PID 2352 wrote to memory of 1000	2352	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe	85
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56
PID 1000 wrote to memory of 3588	1000	dfrgsnapnt.exe	56

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\872529dda3c8c6ba8430529ba2f24564_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\dfrgsnapnt.exe
    "C:\Users\Admin\AppData\Local\Temp\dfrgsnapnt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfrgsnapnt.exe

Filesize
440KB

MD5
872529dda3c8c6ba8430529ba2f24564

SHA1
8f4f056d3a4ba3eb50cb3a7eb7c2705ecd106a0c

SHA256
903b8f25efa5c67dab601ea852fe5ae5724238845ad7a923ed1a4550a10f6a13

SHA512
502ef80a3247b484298879187e33806ded1edf0ddbada5333b81a569c7b248c7d3e2163c83579f81adead1530d347f52703fcca4984d78c513ca3868050b45a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eapp32hst.dll

Filesize
332KB

MD5
5d905032d3e396a1ae0956790b097d29

SHA1
2651a767078bd1091553b95b6d9ed9d3021267ef

SHA256
660aa5299a42f3cd7a114e57e979633f7dc1d275ffdf66022b4a689d554bad52

SHA512
0fa7f95dd4e4861c8231e8d10cac70a4a4146bdc6d0a72b35c566df1f1be8505d5066921d0af2cd0329c1d0e9e0dd57da52cb6f5c1093007c0e04b264c4fe0ed

Download Submit
memory/2352-0-0x0000000000400000-0x0000000000473400-memory.dmp

Filesize
461KB

Download
memory/2352-9-0x0000000000400000-0x0000000000473400-memory.dmp

Filesize
461KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads