287a167aa13f9c37d8bda90bd4ac3cf016aa5edcee352335aa0ac4cd48b8ff5f

General

Target

bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe
Size

569KB
MD5

bfdb0c6b6f04d169bfb1120006d6b3cd
SHA1

5a44dc9be9f13f39e23c475e8ea92c2d425fdc04
SHA256

287a167aa13f9c37d8bda90bd4ac3cf016aa5edcee352335aa0ac4cd48b8ff5f
SHA512

8336ba74e0b22ba37dcf6adf489c7ad11ce4484d60e665ee722e32b4b67278681c66989970aa832e5483ece0905b2f3eb1d464af4ceb89331b79961c22bf8ee8
SSDEEP

12288:vh656LUEHjdycmEP7olWdPDsG5pAzFFqMsjqU8yRUbEi6Qha9xXI8oSkJUNdM1:vhlYEHjdyccle15izr2UbEfQIN8

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	temp2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	S0UG0U.exe

Executes dropped EXE 3 IoCs

pid	Process
1524	temp1.exe
232	temp2.exe
676	S0UG0U.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023452-6.dat	upx
behavioral2/memory/232-9-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/676-15-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/232-19-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/676-27-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\temp2.exe	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\temp1.exe	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0UG0U.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
676	S0UG0U.exe
676	S0UG0U.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe
2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1524	2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe	86
PID 2996 wrote to memory of 1524	2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe	86
PID 2996 wrote to memory of 1524	2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe	86
PID 2996 wrote to memory of 232	2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe	87
PID 2996 wrote to memory of 232	2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe	87
PID 2996 wrote to memory of 232	2996	bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe	87
PID 232 wrote to memory of 676	232	temp2.exe	88
PID 232 wrote to memory of 676	232	temp2.exe	88
PID 232 wrote to memory of 676	232	temp2.exe	88
PID 232 wrote to memory of 3428	232	temp2.exe	89
PID 232 wrote to memory of 3428	232	temp2.exe	89
PID 232 wrote to memory of 3428	232	temp2.exe	89
PID 676 wrote to memory of 3700	676	S0UG0U.exe	101
PID 676 wrote to memory of 3700	676	S0UG0U.exe	101
PID 676 wrote to memory of 3700	676	S0UG0U.exe	101

C:\Users\Admin\AppData\Local\Temp\bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfdb0c6b6f04d169bfb1120006d6b3cd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\temp1.exe
  "C:\Windows\system32\temp1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\SysWOW64\temp2.exe
  "C:\Windows\system32\temp2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe
    C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe arg2
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
121B

MD5
a9dde375e2eb4dcb5391af8f28aec3d4

SHA1
6bf4e3c2a9191691f03bec1edca0a575b2eda1cc

SHA256
6d6cb98c6d82152349f71aa8d45bf42fed0adf8e9f67da65b6ba0858211b336f

SHA512
84f32ea539424f6445ee7109dc9b10b369e5b7f341e958e7ad6007f23f70469ef735861f043d13ff0d519a555cbbd217e5a6c83871fdec62230027ecdf726261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
151B

MD5
0c868490208e3557d51b93d55feba643

SHA1
291b2565763664acf8f3d6488283abf8d769fc07

SHA256
2335ff1b9f935070ea7d57a267ec87a7269673c16e8551ec745afafb9bed26f8

SHA512
e3e9108d6bf873c4a6c2847e326399f2f21a436055117ed1d8e8d3a0585b6a7a7647f607c1e5963f18101090d909dedffcdbacecd364a38af0f0e99cc1495455

Download Submit
C:\Windows\SysWOW64\temp1.exe

Filesize
502KB

MD5
226d3785b8f2ed0a62fa4ddf9a2d3daf

SHA1
f77ceaabebc75eaf619dafab1ed3d836b219116c

SHA256
09aaaee0036ab3500ba1e7041317dd746be7b38f6077fddbf8e0660f47f427a4

SHA512
9266aa4834e69dfbc2702dfad0b4548573e8a1d1c90cc0e582a1a1c31d9f5a5e2c00ef9807bd2a813173ce93c7a613980a01b4c6b972b4938d30466233001668

Download Submit
C:\Windows\SysWOW64\temp2.exe

Filesize
35KB

MD5
55c6466b91511b3c1b14c5cb7f084fd5

SHA1
008bcdea14d6cb39a8c4c761d763f4bab04fe670

SHA256
b77704530ac8d9d469a74104ccb6b324cdfc37b80673f539fadb61e679711534

SHA512
2cb44c098e707ab061726f9198a73ba392e4b41b657f51175e3467ffdd369fdc611fe28a722cb61fda2203e52034c225d17b79af7c7a2e4ef8174c52993d8c7e

Download Submit
memory/232-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/232-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/676-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/676-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1524-4-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1524-22-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing