b27bc82511bef167d26e0033dcd91863f4e469018f92225906614029c4a16eb2

General

Target

bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe
Size

399KB
MD5

bc7c1125f696e59ce3c2bcf6ab552b9e
SHA1

f51bd1ec192d7b89df707219fd5990615995122c
SHA256

b27bc82511bef167d26e0033dcd91863f4e469018f92225906614029c4a16eb2
SHA512

564620988dc56dfce80f7076a74d7242a7007634aaba70f6641eb5407bdfddd29761a3d5d22804b567925f53d5ab0c13e12f825123b439cb1427e4cab319d56e
SSDEEP

6144:/LBchTO+M14IF2idZecnl20lHRxp3g8lk9ihl0/srEQpPK+e1FtEuxF+U2/kQp:z3ZF3Z4mxxnoEtlK+kt9T2MQp

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\InProcServer32	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\InProcServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\atmQQ2.dll"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\InProcServer32\ThreadingModel = "Apartment"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}	3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4820	4020	bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe	84
PID 4020 wrote to memory of 4820	4020	bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe	84
PID 4020 wrote to memory of 4820	4020	bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe	84
PID 4820 wrote to memory of 4808	4820	3.exe	85
PID 4820 wrote to memory of 4808	4820	3.exe	85
PID 4820 wrote to memory of 4808	4820	3.exe	85

C:\Users\Admin\AppData\Local\Temp\bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
28KB

MD5
95586abf9185ddf5685852bda8d7284a

SHA1
be091ebdb8f2adf97d48064f7e90df03ee30b48a

SHA256
ea27308d963b69b1dea8f6f224ca8a51546177a126e3916d17024c84fb1431bc

SHA512
bcec887d462c80c72acb62ccddef28822d760a6ee32384cac186d1f185798fa84f31c856221f4c1a11b659b77cda7a9b37b6fc0d3e2d8cb6ca80b65e5de9b2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT

Filesize
142B

MD5
7a118aab14033f7de50341c044da8cfb

SHA1
41d68565b813c2206b7e4db4295343301c2eed9c

SHA256
784e18e46f1043c2341d01085a943ad54245f7a49b93d243c89781c5d0de16c8

SHA512
ab53fb3632020c36e8805bb1b9e3280458e05a07e1247a666507d41bc0af528174c0707266026ee1751957917b4bc29adb37d09741a7e3e457dd8942e581ba0b

Download Submit
memory/4020-0-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4020-2-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4020-1-0x000000000101C000-0x000000000101D000-memory.dmp

Filesize
4KB

Download
memory/4020-3-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4020-7-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4020-8-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4020-4-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4020-17-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/4820-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads