178932bd601a343e4d336ddfd0543baece4becc7b35869fe2ae7431243724758

General

Target

bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Size

420KB
MD5

bc5ed93a16efb2f651e1f11ca5f63af6
SHA1

6dd5f69073ddb90f5bd31513c9246416ee15e51f
SHA256

178932bd601a343e4d336ddfd0543baece4becc7b35869fe2ae7431243724758
SHA512

29b8ae7b825ee3e0e9270f1cede229d5a1ee3b9338b7d53687b8e98c566a041a8a63d1c3005a302678e7605216c619e44e877d31c0a5a5da588f7d23165e3ead
SSDEEP

6144:J/0uoMI62w243WiGOeriNeAHS6ODHmAu2thUz00acEzcnWIXMbx9VWcFHk:JJ73WZmNfy6ODGTaUg/AWIXs5WoE

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ENJOY-~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	enjoy-soft1.exe

Executes dropped EXE 5 IoCs

pid	Process
4044	ENJOY-~1.EXE
1012	enjoy-soft1.exe
3556	ENJOY-~1.EXE
2704	Setup.exe
4536	Utility Mang.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023430-3.dat	upx
behavioral2/memory/4044-4-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4044-16-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3556-20-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3556-37-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Utility Mang.exe	Setup.exe
File opened for modification	C:\Windows\Utility Mang.exe	Setup.exe
File created	C:\Windows\Uer.BAT	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utility Mang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENJOY-~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enjoy-soft1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENJOY-~1.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4536	Utility Mang.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4044	4936	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	84
PID 4936 wrote to memory of 4044	4936	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	84
PID 4936 wrote to memory of 4044	4936	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	84
PID 4044 wrote to memory of 1012	4044	ENJOY-~1.EXE	87
PID 4044 wrote to memory of 1012	4044	ENJOY-~1.EXE	87
PID 4044 wrote to memory of 1012	4044	ENJOY-~1.EXE	87
PID 4936 wrote to memory of 3556	4936	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	88
PID 4936 wrote to memory of 3556	4936	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	88
PID 4936 wrote to memory of 3556	4936	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	88
PID 1012 wrote to memory of 2704	1012	enjoy-soft1.exe	89
PID 1012 wrote to memory of 2704	1012	enjoy-soft1.exe	89
PID 1012 wrote to memory of 2704	1012	enjoy-soft1.exe	89
PID 2704 wrote to memory of 1508	2704	Setup.exe	92
PID 2704 wrote to memory of 1508	2704	Setup.exe	92
PID 2704 wrote to memory of 1508	2704	Setup.exe	92
PID 4536 wrote to memory of 3608	4536	Utility Mang.exe	93
PID 4536 wrote to memory of 3608	4536	Utility Mang.exe	93

C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe
    "C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\Uer.BAT
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3556

C:\Windows\Utility Mang.exe
"C:\Windows\Utility Mang.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE

Filesize
366KB

MD5
a22dfb0055131ddaf228e3d0a35948fd

SHA1
8097dbb30cf73bc88146882a3a77d9e7fec0b93b

SHA256
f487ccc4f8c3d1ca61421ee17e4bbcbe6a6fa562640595162029fc1e15404177

SHA512
e7502c82c81c519eff1c8b0a31d819c9f4de2d96bb240f8b79a2a043b380428542522164afb7b270e04f07c28fe96334ff10925197e51414768d3237b79ee82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
603KB

MD5
e34bb36cd573d0b8f6600fa74d55319b

SHA1
3ca8b1f5f68bb05367af57efad823e01d163c599

SHA256
2d015636a64b4fb5545577da672d055376239db5c2d9d79bcbf4cd1b60972dae

SHA512
32df80f123ed79753a9a096333017069277d08cf6800082a23b3afd0f7c0e8136ce417a821e793e5b7d41897cfcc092037f1fd9f08a4629409d483a960d2b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe

Filesize
355KB

MD5
2cd5631e374dfaa51252bcc2d39a514d

SHA1
cb5bdf1b92f48ad9c1401550b76293d750f23fc4

SHA256
bdad534481f11ec5384e28993d8080b7f8152347e723056354e9d2622424aa7c

SHA512
91ff61d83d8e1b8475f87d2d7565a23bd1b03904959311f112eec17cd23b5174f4320f66cc2d364a0146f1c78df0443834619b2cb0a95fc941cceb1566807964

Download Submit
C:\Windows\Uer.BAT

Filesize
132B

MD5
aaf8434df1f8c6c6ed749ab01d1c22c6

SHA1
fa41fb89750fdeb128237140bcf4a0b8752f05ea

SHA256
be4ea232c5a9877e3c943a4738b18a8a4ec605a9a0562c00e89967f451769a0b

SHA512
bba9f6c1f4a63fcc756a05fa5ab900b28fa16ea7a7fd7342333073bcbcb1d9d36f2705a3d8a0b2b0c5d9466804ab7c0e1451d1c092b7acfd424d0ab6cc3266cd

Download Submit
memory/1012-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-35-0x0000000000400000-0x00000000004A498C-memory.dmp

Filesize
658KB

Download
memory/3556-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3556-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4044-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4044-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4536-38-0x0000000000400000-0x00000000004A498C-memory.dmp

Filesize
658KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads