3bb8465a64556885bdae23336b463833fa81d918a7567f1d3dd553437e43d9a5

General

Target

be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe
Size

415KB
MD5

be2421eb7d93b963725ec2fd87a6ce42
SHA1

91b70e3c64553ebcc507212d764e99f56ed689a4
SHA256

3bb8465a64556885bdae23336b463833fa81d918a7567f1d3dd553437e43d9a5
SHA512

8f09df9882cfd29fc62cac8f1e4d5ccedf06b02c18456eb36c86218b49b950cd1f757b079ef4f8576b7316fb69dcb10cfead8fc15541e4ea3bee69157beea4a8
SSDEEP

12288:Y8OMilaWWgrHqkCpkQrQ72P6ZPSCL3TGcq77mm2:YJ9eEKfVM722PSyImm2

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\360tray = "C:\\WINDOWS\\dirtyy\\spoolsv.vbe"	regedit.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
916	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cachev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4964	cachev.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\dirtyy\2.bat	cachev.exe
File opened for modification	C:\Windows\dirtyy\2.bat	cachev.exe
File opened for modification	C:\WINDOWS\dirtyy	attrib.exe
File created	C:\Windows\dirtyy\12.reg	cachev.exe
File opened for modification	C:\Windows\dirtyy\12.reg	cachev.exe
File created	C:\Windows\dirtyy\down21.bat	cachev.exe
File opened for modification	C:\Windows\dirtyy\down21.bat	cachev.exe
File opened for modification	C:\WINDOWS\dirtyy	cachev.exe
File created	C:\Windows\dirtyy\__tmp_rar_sfx_access_check_240628046	cachev.exe
File created	C:\Windows\dirtyy\spoolsv.vbe	cachev.exe
File opened for modification	C:\Windows\dirtyy\spoolsv.vbe	cachev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cachev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cachev.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1960	regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4964	1416	be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe	91
PID 1416 wrote to memory of 4964	1416	be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe	91
PID 1416 wrote to memory of 4964	1416	be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe	91
PID 4964 wrote to memory of 2540	4964	cachev.exe	92
PID 4964 wrote to memory of 2540	4964	cachev.exe	92
PID 4964 wrote to memory of 2540	4964	cachev.exe	92
PID 2540 wrote to memory of 1176	2540	WScript.exe	94
PID 2540 wrote to memory of 1176	2540	WScript.exe	94
PID 2540 wrote to memory of 1176	2540	WScript.exe	94
PID 1176 wrote to memory of 916	1176	cmd.exe	96
PID 1176 wrote to memory of 916	1176	cmd.exe	96
PID 1176 wrote to memory of 916	1176	cmd.exe	96
PID 1176 wrote to memory of 1960	1176	cmd.exe	97
PID 1176 wrote to memory of 1960	1176	cmd.exe	97
PID 1176 wrote to memory of 1960	1176	cmd.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be2421eb7d93b963725ec2fd87a6ce42_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\cachev.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cachev.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WINDOWS\dirtyy\spoolsv.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\WINDOWS\dirtyy\2.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +s +h C:\WINDOWS\dirtyy
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:916
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s 12.reg
        5⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cachev.exe

Filesize
103KB

MD5
08221288823acbbaf568791ccbf1f101

SHA1
7c246dbc0db59a35e87519a31ff022978a9c8b81

SHA256
9eacec7e37844cf13b1b8c8f09ba23196b5f66b8b84a7b6bb13e6c794f92710b

SHA512
0342804e2a722a5e99c6f70629dfe5ba3c3c720342504bc119b044811110b9c9e114e0a2d513f7a8304cba895dc00181a75a1902df02cb91f991cfd232090377

Download Submit
C:\WINDOWS\dirtyy\12.reg

Filesize
348B

MD5
70de1d90f2864ecc505010663c3dca62

SHA1
f10c6fbbff68e0164ddb920c5238af9701004213

SHA256
7cb1e35fbff4e3fbac6a0a0ddfe8b2c3347b3a3eca7754e1d29ed137809566e2

SHA512
6793eaee3c005e0d7bf22663a47872ee8d1c6cb91afa9ff3c673dfcec79110a81cb14e470392cc3b2a85c9177706a3774d1d0e0d09a5733bcda97d40f5b78de0

Download Submit
C:\WINDOWS\dirtyy\2.bat

Filesize
71B

MD5
b0143a120fc58fdc5d49736325660ec0

SHA1
f58b1652a4014e8147c657255e795d294e50b8e9

SHA256
f2591d2c8c78d19f554242c01f81f82cdb042e5742e164ff4d85a34f612c1156

SHA512
56febb85a659d2e5ba5e5ce6e850866aad6040863072dd2422a4412127dad008a3220f2b72ead3c0a76f05313015a745e50adb9aa24b97e10ad097bac107e81e

Download Submit
C:\WINDOWS\dirtyy\spoolsv.vbe

Filesize
289B

MD5
ab9d6e99a35f34f806fc5fc7ebf1d4e3

SHA1
83135132184ad5ccdc4c05ad66d69cc4cb6f8cf3

SHA256
a51187181e3b71609c57bd52dd358361b525e9aad21aaaaf572ae20bcad2da83

SHA512
3ad734f4afe22b32d67b52d692ffaf971b70c6ac243f5f3d06ae11bf6ac927bdae4747884eacc16deb0495205d37ea75c36edbc339a5984d328e7714b595fcdb

Download Submit
memory/1416-23-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4964-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads