5137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4

General

Target

a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
Size

77KB
MD5

a36e54cd1cc3d386f74fa3c8ccdaa71b
SHA1

875819d86f5f6f3c086b63b32fc973e0b60f897d
SHA256

5137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4
SHA512

88cc3970c2a682e39ab61597aa95bff9a38ee662daed10a0c63844060f6ba88ec952d088d9586c753d74620d24d8de6012a9b51459b09016bee8c7e00244501f
SSDEEP

1536:E4j/n/LaHhf7P+ifYQBS0746W9N6Gjb7c2KXls20mRuYW8x+j:ljvjx3FKlluYWE+j

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	msiconf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe = "msiconf.exe"	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msiconf.exe	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiconf.exe	msiconf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64	msiconf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0835250E-5CBD-11EF-98CC-562BAB028465} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CB10F65A-5CBC-11EF-98CC-562BAB028465} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	msiconf.exe
2524	msiconf.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4924	iexplore.exe
2524	msiconf.exe
2524	msiconf.exe
2524	msiconf.exe
1056	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4924	iexplore.exe
4924	iexplore.exe
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
2524	msiconf.exe
1056	iexplore.exe
1056	iexplore.exe
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2524	1048	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe	84
PID 1048 wrote to memory of 2524	1048	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe	84
PID 1048 wrote to memory of 2524	1048	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe	84
PID 1048 wrote to memory of 2196	1048	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe	85
PID 1048 wrote to memory of 2196	1048	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe	85
PID 1048 wrote to memory of 2196	1048	a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe	85
PID 4924 wrote to memory of 4940	4924	iexplore.exe	103
PID 4924 wrote to memory of 4940	4924	iexplore.exe	103
PID 4924 wrote to memory of 4940	4924	iexplore.exe	103
PID 1056 wrote to memory of 1136	1056	iexplore.exe	117
PID 1056 wrote to memory of 1136	1056	iexplore.exe	117
PID 1056 wrote to memory of 1136	1056	iexplore.exe	117

C:\Users\Admin\AppData\Local\Temp\a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\msiconf.exe
  C:\Windows\system32\msiconf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A36E54~1.EXE >> nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Thumbs.db

Filesize
14B

MD5
7fdf22ea47b6439bff8c6577db2d5f2f

SHA1
742940d7eabbf4ef6d6b2fd61750f14474d41f3b

SHA256
9b7e80ae7887e2b78defc5d77d27d38e2420ecdb8581e1633194a99a8735fec0

SHA512
49ad17bf2d37efb10e86993a771d6fc146be4dc6304fda0aceae45c6d11c72a1589756f4220cbca7e83ee04e7930129df00b1dfc53370dde01f9932ec78145d9

Download Submit
C:\Windows\SysWOW64\msiconf.exe

Filesize
77KB

MD5
a36e54cd1cc3d386f74fa3c8ccdaa71b

SHA1
875819d86f5f6f3c086b63b32fc973e0b60f897d

SHA256
5137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4

SHA512
88cc3970c2a682e39ab61597aa95bff9a38ee662daed10a0c63844060f6ba88ec952d088d9586c753d74620d24d8de6012a9b51459b09016bee8c7e00244501f

Download Submit
memory/1048-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1048-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1048-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1048-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2524-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2524-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2524-31-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2524-35-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2524-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads