96396d2863a5fc457c5c8764efc53567851e74b964dda134e3369f26397bd17b

General

Target

aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe
Size

3.0MB
MD5

aba7d7a2ba18044a771bbfee2842c84d
SHA1

7f7c43c474d0193740aaa869e24723d4b8280cf9
SHA256

96396d2863a5fc457c5c8764efc53567851e74b964dda134e3369f26397bd17b
SHA512

31102ae9f86b5aa8b870d61aec7f1b3eacad18698be7854fd4fe06b5c7d7e247a8228b0023b55ede11a690b169548a3921561718a08ccb5a191850424fd06ff9
SSDEEP

49152:7PE0QrfILSZIKZPLgKNcRMMnGNk9pDB8JrSjrjEDDDspGniUSok6H:7PNQrALSiELgKNcRMHkeF3hiZ36H

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	New.exe

Executes dropped EXE 4 IoCs

pid	Process
2336	Keygen-DI.exe
4616	7za.exe
2100	New.exe
4496	setupv.exe

Loads dropped DLL 2 IoCs

pid	Process
952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe
2100	New.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/952-0-0x0000000000400000-0x00000000007AF000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-7.dat	upx
behavioral2/memory/2336-16-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/files/0x00090000000234ad-23.dat	upx
behavioral2/memory/2100-29-0x0000000000400000-0x00000000007AF000-memory.dmp	upx
behavioral2/memory/952-31-0x0000000000400000-0x00000000007AF000-memory.dmp	upx
behavioral2/memory/2100-49-0x0000000000400000-0x00000000007AF000-memory.dmp	upx
behavioral2/memory/2336-53-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-54-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-55-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-64-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-65-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-66-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-67-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-68-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-69-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-70-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-71-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-72-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-73-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-74-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/2336-75-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen-DI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3764	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3764	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4496	setupv.exe
4496	setupv.exe
4496	setupv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2336	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	86
PID 952 wrote to memory of 2336	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	86
PID 952 wrote to memory of 2336	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	86
PID 952 wrote to memory of 4616	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	87
PID 952 wrote to memory of 4616	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	87
PID 952 wrote to memory of 4616	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	87
PID 952 wrote to memory of 2100	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	90
PID 952 wrote to memory of 2100	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	90
PID 952 wrote to memory of 2100	952	aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe	90
PID 2100 wrote to memory of 4496	2100	New.exe	91
PID 2100 wrote to memory of 4496	2100	New.exe	91
PID 2100 wrote to memory of 4496	2100	New.exe	91

C:\Users\Admin\AppData\Local\Temp\aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aba7d7a2ba18044a771bbfee2842c84d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\Keygen-DI.exe
  "C:\Users\Admin\AppData\Local\Temp\Keygen-DI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\New.exe
  "C:\Users\Admin\AppData\Local\Temp\New.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\setupv.exe
    "C:\Users\Admin\AppData\Local\Temp\setupv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x458
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen-DI.exe

Filesize
197KB

MD5
e31a7e3925a29dcbb1dd1da09e29009d

SHA1
588a84f01319b0953bf4d8f5dd0af12d94589c25

SHA256
e0555500aca0c2d9d50d18062652983591f7d8b385317a516d847c66d298e9cd

SHA512
04a9c6eda3428f55280447ce836de461501cdfa00aad90438584454fa4c1ae7826099494f5c45649fb41ad3610063ed0952cd871f7b2ea47e7da148028929ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New.exe

Filesize
2.4MB

MD5
c5523b823a09a2e685b62bb6d1f619ea

SHA1
7efb79db7d5b62c0166ba0c942d0742debbcc39e

SHA256
adae8bb8e193f02ccf2a97122f849b0c93c711fd0f89ece4d156d7bdfedbe3b8

SHA512
862e9ba99652d8946527f3e04dbb555a4cb3cbe7a7cd472daebc8949153229c084be29a373f6ab293463bfe31b3276b34e96c7847df82901aee271e1345d9461

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
2.4MB

MD5
a3700e6bd26082f8792f95cfc781273f

SHA1
fd6cf20919b1737b584ae200c90a0377a912fb25

SHA256
c3d797345e85bf6dd3f2e9111e38d7c31fcb98ee6b0ed1704878700a0183c909

SHA512
2adcb9d4dab2d394a614e175c9cf68948125e28d53a5ae37e76129d165fbed280707c30fa502aaa74167df02c4eb5d52b39fa94def0f53a137b0af151e657c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieframe.dll

Filesize
5.8MB

MD5
a8ab8f27f7bba9cb6c0b8d0534b3c4ae

SHA1
fac3d58c6a3c3fbe1c77190af2f57643de5ca114

SHA256
eac7acc4f166e478bcf5f8c76ff97830c5047b031a01ff051fefc14e2ee6745c

SHA512
30c34ee48a90ef2460a968982857193e5fc79d95eeab8938d9326ced563a5b3a55b1eaaee50710a442855152a18e7187e1dda5081e9573db7b23eef71966f9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA9A0.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\setupv.exe

Filesize
28KB

MD5
4d6ca998a931987a705fc37413f10c73

SHA1
5f43d3230ab3bf4b9ecbcaa24a6a2ca7a07f33b9

SHA256
c6d549507bdf7ac4654eb3e3e5b2def93bd8b77b52c23a5f05fd9c0a2a7315bb

SHA512
dcb4042bb87cb203f27f524c4a94baeb529e32c9ebd73456c8e0561ba5811a9c1c58d0d4d5321686a4ff5ffd3deca4e61befe29fbe016d489bd1f0052e46372c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpurl.txt

Filesize
81B

MD5
fbac89399dd22c284c65c37c2c632f2e

SHA1
dd9bba6a7fba34d58b8cb4e6eeaed6ce9e9933c3

SHA256
07212196b77ac2c2ce0a0412008f2fb6bc8066ab04336b6e53341e5badfd55f1

SHA512
0a3f99e995634aafd6290eb8cec07c95a26b2db41f712efd49340526f1fcc1bfbf65ade8632237a8b8ab0df414f7e9143a30ef8ada51e82aef266af72f84079e

Download Submit
memory/952-0-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/952-31-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2100-29-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2100-49-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2336-54-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-67-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-16-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-55-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-64-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-65-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-66-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-53-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-68-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-69-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-70-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-71-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-72-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-73-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-74-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-75-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing