46ba6ff4dc49b5f6393d204cc2f999704c1d1719e6173f71b6f74fedba90c7fa

General

Target

8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
Size

490KB
MD5

8a22fb4a108158be1b41b22033dfb18a
SHA1

388e3270d09fb6278dd5bed0a0c639f2cda20fbc
SHA256

46ba6ff4dc49b5f6393d204cc2f999704c1d1719e6173f71b6f74fedba90c7fa
SHA512

48ea965153444d6a8e2bbc347231bc135602d6fe9fe27140da75ff32060ceb02e014ed8806bf3fc0848fa56d9a0e0cdf1aba9859c6b8ffbf73927eb7d3019580
SSDEEP

12288:myZB2GYrdWrXusDCanzgCZpTxf9MzpwExcEPBBmkT:m4glrEDD1zgCPxGHg4

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	calc.exe

Executes dropped EXE 4 IoCs

pid	Process
3188	Flopy.exe
448	Freecell.exe
2344	calc.exe
2676	Cactus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Firewall = "C:\\WINDOWS\\system32\\Firewall.exe"	reg.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\3088	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\Freecell.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\calc.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\SMxDivix.exe	Freecell.exe
File created	C:\WINDOWS\SysWOW64\Firewall.exe	Freecell.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\__tmp_rar_sfx_access_check_240616062	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\Flopy.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240616609	Freecell.exe
File created	C:\WINDOWS\SysWOW64\SMxDivix.exe	Freecell.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987\Flopy.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987\Freecell.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987\calc.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\Firewall.exe	Freecell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cactus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Freecell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{0FCDA3A4-9C51-4CC8-83D7-D0255B8C8CE3}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{D8C8F096-EBA9-43CD-84A8-4F85EEC3DF1C}	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3696	reg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2676	Cactus.exe
2676	Cactus.exe
3460	OpenWith.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3188	4600	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	84
PID 4600 wrote to memory of 3188	4600	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	84
PID 4600 wrote to memory of 3188	4600	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	84
PID 3188 wrote to memory of 2400	3188	Flopy.exe	86
PID 3188 wrote to memory of 2400	3188	Flopy.exe	86
PID 3188 wrote to memory of 2400	3188	Flopy.exe	86
PID 2400 wrote to memory of 448	2400	cmd.exe	88
PID 2400 wrote to memory of 448	2400	cmd.exe	88
PID 2400 wrote to memory of 448	2400	cmd.exe	88
PID 2400 wrote to memory of 2344	2400	cmd.exe	89
PID 2400 wrote to memory of 2344	2400	cmd.exe	89
PID 2400 wrote to memory of 2344	2400	cmd.exe	89
PID 2400 wrote to memory of 3696	2400	cmd.exe	90
PID 2400 wrote to memory of 3696	2400	cmd.exe	90
PID 2400 wrote to memory of 3696	2400	cmd.exe	90
PID 2344 wrote to memory of 2676	2344	calc.exe	91
PID 2344 wrote to memory of 2676	2344	calc.exe	91
PID 2344 wrote to memory of 2676	2344	calc.exe	91

C:\Users\Admin\AppData\Local\Temp\8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600
- C:\WINDOWS\SysWOW64\3088\3987\Flopy.exe
  "C:\WINDOWS\SYSTEM32\3088\3987\Flopy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt32861.bat "C:\WINDOWS\SYSTEM32\3088\3987\Flopy.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\WINDOWS\SysWOW64\3088\3987\Freecell.exe
      Freecell.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:448
  - - C:\WINDOWS\SysWOW64\3088\3987\calc.exe
      calc.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Arquivos de programas\Cactus Joiner by darK\Cactus.exe
        
        "C:\Arquivos de programas\Cactus Joiner by darK\Cactus.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Firewall /t REG_SZ /d C:\WINDOWS\system32\Firewall.exe /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\Cactus Joiner by darK\Cactus.exe

Filesize
176KB

MD5
3c0f0a310773ed3e252d79ede97bc8d0

SHA1
66525ed9d335f2c0b3ba24f41157fa196ad28ca7

SHA256
5e3a184f5e9b963f04a1497bc7757bac5d68fb9372cb4156ae25595218196de3

SHA512
3ef58867a2cbcd37e328eb46361322640fd0dfbdc7fc6e3eabcaec833cc120cd84f92e06325afd807d4acd560a072a57f6448d76d7753d87d66756ad84cdeedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt32861.bat

Filesize
183B

MD5
511179cccf67ce1c9bb16c33b97f4f01

SHA1
05d7485510159be20057f9114730cb892b639e81

SHA256
4815a310718614dfa71347f354f945a05b37cd0c429d2e3a1a0b2fd95079be74

SHA512
7b6796505171015d9eeb8e64b774813fae109e5cffcc7044e6e7f40fb176b79d96bdd5a97cace1d53b0fe18248981ffc29a6febe238d7cdb64124b5a7fc8ff32

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\SysWOW64\3088\3987\Flopy.exe

Filesize
61KB

MD5
eb390351951f17245e8ed0924ac772ec

SHA1
d2990fc7b2e6e95938833f091a3e3227eff3dc52

SHA256
fb348bc3721705b6b31bbcd6393442da5ecf0cff246dfbf535a565696287d168

SHA512
3ea52f5a83de4a9eea0d61fba96f3741c50e7256504cbe8292a6d51f9b6a1d9ea6fe52e57b5bcd642d2545444b2e56ea68b521e12e897a89cf92d33b33467a4d

Download Submit
C:\Windows\SysWOW64\3088\3987\Freecell.exe

Filesize
271KB

MD5
b1af4b5bbf85431d868a9718dc493aac

SHA1
0fdd053ab638ed5382a88f26b8fa1cd6a13ef4a0

SHA256
673b6e51f443f2cf85920cff45c6fb80132d305c8285ccf0da80ef5bcb5a908f

SHA512
ba91c6c7aad211f5df07d2cff5927be8a6b9d6075c3990220ba2e6923380c027d7e61e90e92813f812fc4bfd6c6bbde92bd7c4969afb97933610c3e179b3269b

Download Submit
C:\Windows\SysWOW64\3088\3987\calc.exe

Filesize
207KB

MD5
509242c54fc321227fb88b0c4fb9efc9

SHA1
5c588eadff63df5c9f1fe53646e30cbeb7672ecf

SHA256
87a7608dc149aa90c6db160e557ff3da83d08a777e196f6cf3f2855f82b143f0

SHA512
11db462a859360c3c2532c767b69271619d2918ba4dd84fc591504ef276f0a567121ceb65ce947833c543643dc14c698049ef54e67b6f2bdc566a1aca201da19

Download Submit
memory/448-28-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2344-46-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3188-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4600-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads