55e459082bfb1bdc8dae09a5f5a95cdb73709f9747c6d65968358fd54a7a4f91

General

Target

b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe
Size

151KB
MD5

b8dee22db8524617fceeb0ee62815ae6
SHA1

cf5471234667d44316c8e6175f47925938a0dc05
SHA256

55e459082bfb1bdc8dae09a5f5a95cdb73709f9747c6d65968358fd54a7a4f91
SHA512

a5b992c2cb278fd95562aa84597bbf7ef884f5cc57f2da9fb4e039336e39701df596a38e92f2b797cabda44100a5f48d713a131082e72c84f3f41f2bc2c2c1ca
SSDEEP

3072:twxVMhOC/dTDbq91+mno3t4QZQ3rt8iJkoBoyPmbQ4hGpEj:tTfFDbRnOTrt5JboyPgQpG

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DS805.EXE

Executes dropped EXE 3 IoCs

pid	Process
1440	6001yy.exe
60	DS805.EXE
1432	WinHe805.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fkre6001.exe	6001yy.exe
File created	C:\Windows\SysWOW64\WinHe805.exe	DS805.EXE
File opened for modification	C:\Windows\SysWOW64\WinHe805.exe	DS805.EXE
File created	C:\Windows\SysWOW64\WinHe805.exe	WinHe805.exe
File created	C:\Windows\SysWOW64\fkre6001.exe	6001yy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	1440	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6001yy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DS805.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinHe805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1440	6001yy.exe
1440	6001yy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	60	DS805.EXE
Token: SeIncBasePriorityPrivilege	1432	WinHe805.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 2540	3488	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	85
PID 3488 wrote to memory of 2540	3488	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	85
PID 3488 wrote to memory of 2540	3488	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	85
PID 2540 wrote to memory of 1440	2540	WScript.exe	87
PID 2540 wrote to memory of 1440	2540	WScript.exe	87
PID 2540 wrote to memory of 1440	2540	WScript.exe	87
PID 2540 wrote to memory of 60	2540	WScript.exe	88
PID 2540 wrote to memory of 60	2540	WScript.exe	88
PID 2540 wrote to memory of 60	2540	WScript.exe	88
PID 60 wrote to memory of 1432	60	DS805.EXE	93
PID 60 wrote to memory of 1432	60	DS805.EXE	93
PID 60 wrote to memory of 1432	60	DS805.EXE	93
PID 60 wrote to memory of 3928	60	DS805.EXE	94
PID 60 wrote to memory of 3928	60	DS805.EXE	94
PID 60 wrote to memory of 3928	60	DS805.EXE	94
PID 1432 wrote to memory of 216	1432	WinHe805.exe	95
PID 1432 wrote to memory of 216	1432	WinHe805.exe	95
PID 1432 wrote to memory of 216	1432	WinHe805.exe	95

C:\Users\Admin\AppData\Local\Temp\b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\vbs.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\6001yy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\6001yy.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 524
      4⤵
      Program crash
      PID:2144
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\SysWOW64\WinHe805.exe
      "C:\Windows\system32\WinHe805.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe805.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1440 -ip 1440
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\6001yy.exe

Filesize
23KB

MD5
1c483442afae578502d9fcab1dd930ba

SHA1
fa453db53916e8729e896a73ea31fc233ea0b54c

SHA256
9e031c9d57c29ab1b5c553a08917376f907a0fafbb56a7a9dbeacd662df34f2a

SHA512
a168bfeb4524bcc9dd0c81bf0eeeaaa5204c4f31ba417697d02f93c6849e4844423542a2cfd4db2458bcd9c7b37cdf7fd6b387c0130f7a8af850a4bd6c205e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE

Filesize
26KB

MD5
8a609bbba4f3796d0b6980b17a8a47ba

SHA1
312e95b09bd9d6694a0f889624af0adbdd4d6d4c

SHA256
f622974c641931fcdea84b76f715c71a8cd1d431e6338e9076e3caa64369d5c3

SHA512
3670ffb7c17bebbebc81aa3fa6ad1645c6751754d8bfb89cf62a4b8c6ed0600230e89656425d6ca02ae0b3825d0e81a43586168fae1ddcbf266e5397f9b7b9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vbs.vbs

Filesize
121B

MD5
397767bbf05ba893ea9ddb407c2b4167

SHA1
bde2e22aa7a576e943ce35e5274ac91503f22bf3

SHA256
d415f59a360d78e9c35fd7b9524c8653925b03e9a333ef3fbf4082ff8ed389bb

SHA512
734539157cff569fab590d7fc7a29ccf8f64891637e9715584330cc57abea355e472d381b5b8a422e12a4c2ba2be7dd098e2603b9fe5a445dba9acfe8ec1ea70

Download Submit
C:\Windows\SysWOW64\WinHe805.exe

Filesize
28.2MB

MD5
0174cae7e1920af929b54330fc6ebdb1

SHA1
789bdc8c64623875488ebb747344891b5b2ec1ad

SHA256
8eec57686ae28196d26d45af0e3a540cf13e5e50e27b6a9e246b933f46607440

SHA512
13f5a282d8c8abd5c87b6add02f08181ea84c4f1b2636147c18706e112eb736cbae27b543f2f0c626cc8001cac29418c46e53ddf68da60f16c3f29af2ff1b30d

Download Submit
C:\Windows\SysWOW64\fkre6001.exe

Filesize
28.2MB

MD5
6e0429af9d43b0731f0c4f7e60d5604a

SHA1
d030e75f95af76b939f4f99f4a94f7f1c4a831c5

SHA256
0a729ee15bcc168dffc786387d40483e5f25895bb1b4ecaf5a7737f23b83ff54

SHA512
f9191edec772e78799e989eefd938a6acb5943c3325ff72d7a193250aa4e52d1a163ccaa985eea2669dbc1e206bf6671b71c1b49fd541fa9247a1064bd6c9b53

Download Submit
memory/60-33-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/60-20-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/60-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1432-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1432-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1440-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1440-13-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/1440-36-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3488-37-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing