48aaef4ea969d2bbd8f8df90d503ab61bf11603c1418fd10ecbaad76c9cd8548

General

Target

b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Size

1.2MB
MD5

b510b319093c025dc6bc07150274cdd6
SHA1

0958a07771f7297db8c0478a4dc546ebc9ba1202
SHA256

48aaef4ea969d2bbd8f8df90d503ab61bf11603c1418fd10ecbaad76c9cd8548
SHA512

17c9ef8c56a0697584608406c3770bf95e6a5a0f4119b99c288751d7d3fb52b7a31cbc4dcbe50100fe61659362fe64e2dc33f9578b9fce21df2b0e6fd201acbd
SSDEEP

24576:PFTh7MY07yRmPROC9Gkx6KlOzpyhvzOw3vwfJ88BymVW+oDHP+:PFNj07yRmUqlYyhMfJ8OymboDv+

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
framework.pcsoft.fr
Port:
21
Username:
framework
Password:
framework

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
892	InstallFramework.exe

Loads dropped DLL 3 IoCs

pid	Process
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallFramework.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000002597d63120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe02597d631559a8a92e00000071e1010000000100000000000000000000000000000088b2b6004100700070004400610074006100000042000000	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000001559b1a9100054656d7000003a0009000400efbe02597d631559b1a92e00000085e1010000000100000000000000000000000000000070c50c01540065006d007000000014000000	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000259b56510004c6f63616c003c0009000400efbe02597d631559a8a92e00000084e10100000001000000000000000000000000000000092113014c006f00630061006c00000014000000	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000b8d58567d7e4da016af5fd55dde4da0161bd3af10ef4da0114000000	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 892	816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe	96
PID 816 wrote to memory of 892	816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe	96
PID 816 wrote to memory of 892	816	b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b510b319093c025dc6bc07150274cdd6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
12.8MB

MD5
260015c85e2ea21cc66d474b626e82bd

SHA1
5d470e999947a15f47eeb8fb8917600173039d96

SHA256
b07184aae9bb9de950b5ae585737bb8303b3d2f897338ec913ecfa1b068bcbaa

SHA512
52f5a43c33385190b2845176708d1d9b1e1767e9565d6980b7c6882460d0e3328e3373eac5a6fdd720a4361c03fd92c41b70724a47c9e2445bce872f631bc2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120OBJ.DLL

Filesize
2.4MB

MD5
77f2ed0f4f741ea2de9d10be9e6310ef

SHA1
f350407060c29617cbf5d7d79f5b89e16b2f8220

SHA256
a7fc9b0ce2e7444acbc571aa7b85409cb5f6662a32936cdfc0a06329eeadf44e

SHA512
049dae1a24d764e8a81ba117654400767c61d456e09772f45406698d07f6ec739ecf6d33a210f6862ebf0ca153949b54f78027ce57475a73998b210bfdcff5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120STD.DLL

Filesize
485KB

MD5
362850fa2820d5884d38ea6f467463d8

SHA1
6ae1d3abf0072b6f288034c69d229efeea518fc7

SHA256
d7718ae7e095b5e44d227d6319e285ee580f8c07b6383e6c834a065628f0dd57

SHA512
243b8edea4438fef08f835dc13c529e9cc478a5660dd1054ccc8113083e13b5b57ad90ab4bc51fa11494626b595b124dc135a3c8a962701a86a300ff7cc21b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120VM.DLL

Filesize
1.7MB

MD5
a54e5710bfae8d5454185b547f703199

SHA1
12b8f21e50d1d3990a1ff44c869fa59167fbb0b8

SHA256
04802d02c337e316cbc122abecac12d5c9ee073b0609cd71028d6d255ba75651

SHA512
947afb6ef542f762c8dc21878562b60b63d108b7272c3c3ddc69c03949652cc2c0b99b91683155ea4c034ec7226ce1779ec0f029034793155dba2a5076c8e08a

Download Submit
memory/816-107-0x0000000004600000-0x0000000004620000-memory.dmp

Filesize
128KB

Download
memory/816-105-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-103-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-108-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-109-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-110-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-111-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-112-0x0000000004600000-0x0000000004620000-memory.dmp

Filesize
128KB

Download
memory/816-113-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/816-114-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing