1c02e0ffa461657c95e9c5e8a7840609d80a71ae7c41f9367578402c1b472ac5

General

Target

af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe
Size

1.5MB
MD5

af3a45953d8894fddef01a39ed00ce9d
SHA1

6358694a6ec0fd7b8efdcebc8d596f650a1509b0
SHA256

1c02e0ffa461657c95e9c5e8a7840609d80a71ae7c41f9367578402c1b472ac5
SHA512

25ecefebeb4229f7f76873e1819b54eae8189806262876dc6c29ad9b8e481281c2f4d333f26726f5e51bc763807289a93b05b95d50429ffa36a59d6d553e23b7
SSDEEP

24576:pzbBc+A5PEAmvudHq0tqymmf7lXLx5NoyYu9Vr0Rkr7CsFg2Gjp3kU+jLO4/:p0TmvCHq2Tm0XTNoYxPLbK0U+B

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	install.exe

Executes dropped EXE 3 IoCs

pid	Process
5012	install.exe
2092	isass.exe
3496	loader.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	isass.exe
2092	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3468	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe
5012	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	isass.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2092	isass.exe
3496	loader.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 5012	3404	af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe	87
PID 3404 wrote to memory of 5012	3404	af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe	87
PID 3404 wrote to memory of 5012	3404	af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe	87
PID 5012 wrote to memory of 2092	5012	install.exe	88
PID 5012 wrote to memory of 2092	5012	install.exe	88
PID 5012 wrote to memory of 2092	5012	install.exe	88
PID 5012 wrote to memory of 3496	5012	install.exe	89
PID 5012 wrote to memory of 3496	5012	install.exe	89
PID 5012 wrote to memory of 3496	5012	install.exe	89
PID 2092 wrote to memory of 4224	2092	isass.exe	90
PID 2092 wrote to memory of 4224	2092	isass.exe	90
PID 2092 wrote to memory of 4224	2092	isass.exe	90
PID 4224 wrote to memory of 2888	4224	cmd.exe	92
PID 4224 wrote to memory of 2888	4224	cmd.exe	92
PID 4224 wrote to memory of 2888	4224	cmd.exe	92
PID 2888 wrote to memory of 3468	2888	cmd.exe	93
PID 2888 wrote to memory of 3468	2888	cmd.exe	93
PID 2888 wrote to memory of 3468	2888	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af3a45953d8894fddef01a39ed00ce9d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c setup.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3468
- - C:\Users\Admin\AppData\Local\loader.exe
    "C:\Users\Admin\AppData\Local\loader.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
1.2MB

MD5
b96b29381760860bfb17d87e85ca8d08

SHA1
b5a8a3e928868fdd550ebeb7bf057fd87e47e3ff

SHA256
8ad6cbeed74237f583efd8866cb500d37c82a17fd368ed4d577d763dbbc1a311

SHA512
32b7b4093b811baffdcb0e7a8ab6589d57563ac1f12bbe450199f2c25964543cf7d05dd604a450bdb7161b8a74b47a7686d7ab77ecfff57462fc6129fc6afaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
520KB

MD5
92787e583c924050b115ec0718277b0e

SHA1
a411362d9a5ceed7e642a9ab679ed7c21ce71189

SHA256
75ad334bf7be94d8361afeea0174d5478df62bd3984f141635d913075cfc2b91

SHA512
e03d3e8a4864ca3efccbc8f5da172dd6ad06842e88264aaa2c6d99c4d4b4340d47852a31434bc909981df855247618c04ea46688082c61f5d3386449a54658bd

Download Submit
C:\Users\Admin\AppData\Local\loader.exe

Filesize
236KB

MD5
6a1d305d5418ddac2f47ed0cba35f77e

SHA1
dff5eb1999137b18ca0be4c51e7897a71dfff587

SHA256
a99582eb9412a85b851be6abbb35a4512a9a3f1487e1b4e3c9feef5e96c81e7f

SHA512
d711217f9cb7182a0c88c5be69b236ef315c3bab82f68f929b79af2d93c8b701f980dc4324243bfe635d22864a18fbc571ba254db238ad80e18ffab77e1605ab

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
216KB

MD5
c9e7bf0068bf9d191ff0f45ccaf65f99

SHA1
40d9f5ee5814ccde7a460d188fa3609ff613c14c

SHA256
8adb4f985d7ff250c803d537c4ab1b8e76259aba6db41b27c327f0bb64fa63f0

SHA512
802bccbbfcc7c5c882ed3273b5fdde2b2a3963775e1d705cd410d0d32dae63f9a303cf307c36fa532c7956ae2abb800bd5a4b6208fcd36bc89ce1475e35ee640

Download Submit
memory/2092-28-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2092-34-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/2092-40-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2092-42-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2092-41-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/2092-64-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/3404-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3404-9-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/5012-37-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads