ee53de7ebdf6d1ef5c03db081607186e089976fa9efa39458cda7e218054a32b

General

Target

a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe
Size

1.0MB
MD5

a046e3e79bf4803300433a93a808975d
SHA1

223525b9793371ad65f66dfaf155eaa8f0b4f921
SHA256

ee53de7ebdf6d1ef5c03db081607186e089976fa9efa39458cda7e218054a32b
SHA512

31efb6f0ccb258588a527ac3ef52f513364818ed36f1ab3e915ee7390e1f5b33c926c3b847c435cddb33ff77efb8cf7887b537a10db1c74eb2d8addc4604fa0c
SSDEEP

24576:bqxKUtTkbDGBb2Jzark8QFx/5Aff8wV2+aXn3QU1:bknTkGsIkrFxUzC3Q

Score

7^/10

defense_evasion discovery upx vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	dgyghgy4.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	dgyghgy4.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023398-11.dat	upx
behavioral2/memory/2728-12-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2728-28-0x0000000000400000-0x0000000000429000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00070000000233a0-23.dat	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zydxc2.dat	dgyghgy4.exe
File created	C:\Windows\SysWOW64\zydxc3.dat	dgyghgy4.exe
File opened for modification	C:\Windows\SysWOW64\zydxc4.dat	dgyghgy4.exe
File created	C:\Windows\SysWOW64\zydxc4.dat	dgyghgy4.exe
File created	C:\Windows\SysWOW64\mysafe.dat	dgyghgy4.exe
File opened for modification	C:\Windows\SysWOW64\zydxc1.dat	dgyghgy4.exe
File created	C:\Windows\SysWOW64\zydxc1.dat	dgyghgy4.exe
File opened for modification	C:\Windows\SysWOW64\zydxc2.dat	dgyghgy4.exe
File opened for modification	C:\Windows\SysWOW64\zydxc3.dat	dgyghgy4.exe
File created	C:\Windows\SysWOW64\lqrfcyafu.dll	dgyghgy4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgyghgy4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	dgyghgy4.exe
2728	dgyghgy4.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2728	dgyghgy4.exe
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2728	dgyghgy4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	dgyghgy4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 3880	1536	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe	84
PID 1536 wrote to memory of 3880	1536	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe	84
PID 1536 wrote to memory of 3880	1536	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe	84
PID 1536 wrote to memory of 2292	1536	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe	86
PID 1536 wrote to memory of 2292	1536	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe	86
PID 1536 wrote to memory of 2292	1536	a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe	86
PID 2292 wrote to memory of 2728	2292	cmd.exe	88
PID 2292 wrote to memory of 2728	2292	cmd.exe	88
PID 2292 wrote to memory of 2728	2292	cmd.exe	88
PID 2728 wrote to memory of 4880	2728	dgyghgy4.exe	89
PID 2728 wrote to memory of 4880	2728	dgyghgy4.exe	89
PID 2728 wrote to memory of 4880	2728	dgyghgy4.exe	89

C:\Users\Admin\AppData\Local\Temp\a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a046e3e79bf4803300433a93a808975d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\µÍµ÷-V5.27.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\dgyghgy4.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\Temp\dgyghgy4.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\dgyghgy4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\Temp\dgyghgy4.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\dgyghgy4.exe

Filesize
47KB

MD5
48ec311991b33a03618e616a7f546e35

SHA1
77a020e9810e0d5071c3ba3ac8670ea596e8feb6

SHA256
824c36415ac98624ae703ac7e9a99c336a1dd2eeabe2e68c41a7197175823d05

SHA512
26a951f6926f6fde11d8366b82c0e57baf07878ddc83c059053d3551bf4618537eb57b5af7a6b50446fdc0cf1c855f1ff4b016e3a7f81239ba6d1f22a1eeb22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\dgyghgy4.exe.bat

Filesize
175B

MD5
3b848765b3f3a79da08cda40c6019214

SHA1
df741edd0bd5896438029e17e24ae4d7716bfe75

SHA256
274d5a7aded1ad55dc902e6c9ce8c4f7a95de8d68850b15534df2dcaf08c44e6

SHA512
d5032330d636d7bdee77ec04d6abe5a494fea91e91a41dfff5f9ab13d51812277d349a1905b412db3a2ed5258589e5a0260f3f4c4bcf57b45fb228a39951b369

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\µÍµ÷-V5.27.exe.bat

Filesize
181B

MD5
ddd924502a3c6a70b38ea82d8854ecb6

SHA1
50f1cb4c407cc8f1730abacea21c14c519da3b76

SHA256
459a948bda85f2524c260957c2324d0429597ec68b41b4e21c09de30a0e845e8

SHA512
02b64c4f3eba22e64e7c26db2b63d0f646db2135b41b8e0ee03d422c498e7c64b35eabb7188f9fa6208c0d4e1b2443d771f51bcb0cfccf0e564043e49f49464f

Download Submit
C:\Windows\SysWOW64\lqrfcyafu.dll

Filesize
60KB

MD5
ac3c4b082f21a3e381503665e83f9e44

SHA1
527a2c217f4ddfc1c33479050744effa579c0e4a

SHA256
8e6b697705c5d03c35662d36026042c9650ddd65ad21250294e6e05749fcb40b

SHA512
92dc32ebb0b660382bc5656e211ea09e96c7caa7b2a63c7c5b12c2fa29c03b1fa5f14d3375c121851ff6416d20e23d6b7d33e66a0beb852502825cf29abcee12

Download Submit
memory/2728-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-25-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2728-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing