5579f59be44ed98431ec8aa6a1649ab7b545ce4bc794af4bca8691b6b9ae33d1

General

Target

a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe
Size

2.3MB
MD5

a20a683436592e30d7bef17fbcd72487
SHA1

e9df5ef7775d6634b2da4e3f23cb854306414bec
SHA256

5579f59be44ed98431ec8aa6a1649ab7b545ce4bc794af4bca8691b6b9ae33d1
SHA512

d403e0a4f1518784d7f7227c574c7d0b0519f4a64a7dcdcbd7a806697c9da99d57aff02efdd5d35325e6c7113e3c450604df1845ed6cbf41a46ee6b5402eb394
SSDEEP

49152:nZYizJ0n0i89RQ7EdWf8xB0Hs8Wl6643Tt84voEttfdiBRTEmHvh:DJ0nyLXoYyHpWl6VxpwEbsnl

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	HXA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	tms.exe

Executes dropped EXE 3 IoCs

pid	Process
4040	tms.exe
2812	Tibiamc944.exe
3416	HXA.exe

Loads dropped DLL 2 IoCs

pid	Process
3416	HXA.exe
2812	Tibiamc944.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HXA Start = "C:\\Windows\\SysWOW64\\DFURFU\\HXA.exe"	HXA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DFURFU\HXA.004	tms.exe
File created	C:\Windows\SysWOW64\DFURFU\HXA.001	tms.exe
File created	C:\Windows\SysWOW64\DFURFU\HXA.002	tms.exe
File created	C:\Windows\SysWOW64\DFURFU\HXA.exe	tms.exe
File opened for modification	C:\Windows\SysWOW64\DFURFU\	HXA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tibiamc944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HXA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tms.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tibiamc944.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Tibiamc944.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3416	HXA.exe
Token: SeIncBasePriorityPrivilege	3416	HXA.exe
Token: SeIncBasePriorityPrivilege	3416	HXA.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3416	HXA.exe
3416	HXA.exe
3416	HXA.exe
2812	Tibiamc944.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4040	768	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe	87
PID 768 wrote to memory of 4040	768	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe	87
PID 768 wrote to memory of 4040	768	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe	87
PID 768 wrote to memory of 2812	768	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe	88
PID 768 wrote to memory of 2812	768	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe	88
PID 768 wrote to memory of 2812	768	a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe	88
PID 4040 wrote to memory of 3416	4040	tms.exe	89
PID 4040 wrote to memory of 3416	4040	tms.exe	89
PID 4040 wrote to memory of 3416	4040	tms.exe	89
PID 3416 wrote to memory of 2484	3416	HXA.exe	102
PID 3416 wrote to memory of 2484	3416	HXA.exe	102
PID 3416 wrote to memory of 2484	3416	HXA.exe	102

C:\Users\Admin\AppData\Local\Temp\a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a20a683436592e30d7bef17fbcd72487_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\tms.exe
  "C:\Users\Admin\AppData\Local\Temp\tms.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\DFURFU\HXA.exe
    "C:\Windows\system32\DFURFU\HXA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\DFURFU\HXA.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
- C:\Users\Admin\AppData\Local\Temp\Tibiamc944.exe
  "C:\Users\Admin\AppData\Local\Temp\Tibiamc944.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tibiamc944.exe

Filesize
4.7MB

MD5
54ac6966ec8caf6243014a9c69bb6bef

SHA1
d08b1ac8c203c13799627529311eafe7a7b5debe

SHA256
f13012decacda790f03ad58dd511bd3f91cc1a7f59ac52acdae580ee8684eb27

SHA512
2d6946aa596de82d08674629eb94a76f277d8b44289abf330811f406f4a76b2c96d60d44d98aa4b30fd071b71383b1abcdae89b18899a5bf12f9424f2329f273

Download Submit
C:\Users\Admin\AppData\Local\Temp\tms.exe

Filesize
985KB

MD5
8d92e15714c59710372dd8e62af35717

SHA1
f02935ba834949e231ac4e2c52c6412f54823f62

SHA256
ab12e64644c2c52ea659ac1d4de48d0ea39bdd7938e1ed96e6b1fa8f9146487c

SHA512
83054107b407de66ee8e034585a10202638b3f6d1b077e8f8f8268d00cb738d8f47727f8a7d853959dde74138df5d5a502f12c4b836d635b077c4e9c2f18385f

Download Submit
C:\Windows\SysWOW64\DFURFU\HXA.001

Filesize
76KB

MD5
99c4625c590fe266ad78de0fc8869f27

SHA1
ce9eaefd037a1e522bf099817631cd9d9201ebba

SHA256
4a81ec57aac6f8d01e2c2bf26c023365220277fa34397ef40f8251209bda7e7d

SHA512
23dae90b83a373ad36902fae6dbbc85b3726f86830d2e768deab6fc43bb5c60fddb8a8a8a0ebf0dd4a72fed9568c47b32f20e8fdde1efde5cb6cecfed594b55b

Download Submit
C:\Windows\SysWOW64\DFURFU\HXA.002

Filesize
54KB

MD5
3e87c616fe2effbbc9f5338b2b1dd844

SHA1
fc3322c0f302377796ec21cf2d5e51d3221a0bf7

SHA256
846cddff950f8240e742a9b14a90daf7fd27959d927ca774259360bbaf1d07c0

SHA512
73d5f95378f4b1bce91fb572f40a1537eb41c71bb59814478d7fa0e5c7dbc20335166e8b00bd76572565b1ee837a2313548d186a68e12018bd807182243cd1b4

Download Submit
C:\Windows\SysWOW64\DFURFU\HXA.004

Filesize
1KB

MD5
e7c5137bfd0afe43967a02123ddeef27

SHA1
fe809d1d39fdf34b1586ed04bd3e470719a3d96b

SHA256
ad56194b19864c1775e6d21be86a05a7e00e5a957e15a803a40f4b94e9c0fdd6

SHA512
d285dba2dcf64ce8ce9c4fc99217964364e67e4e501aa5e44068704a61d317494fd3cb6d9b0debbc15505dae0fb8bb074a16d3e0008154b48a5ce2df4720a806

Download Submit
C:\Windows\SysWOW64\DFURFU\HXA.exe

Filesize
1.7MB

MD5
b37aad7a36fbbb2d2054e082d590a76c

SHA1
b61e6e9a717c5105541d180ffd5c82ff1909072e

SHA256
11a3b8f8734f5aca98a7a3207464de7038168cabb0588e4bd54dae07cb7cfd32

SHA512
3c8afc6acc308e05247b077cc40e6ffbb9b5903545cc243555191a048e2d9f4fd9c530cb8fc99bfc6d9df7d376ccf0f498e1b78bb9a46e5595f91f2d654e43b1

Download Submit
memory/768-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads