7f5a5bb95531c332bf2bf123a14bef547a11172aed9a169c670f96a35ee8813c

General

Target

c203053d382faa0c7197850b8502929c_JaffaCakes118.exe
Size

216KB
MD5

c203053d382faa0c7197850b8502929c
SHA1

3b260a0253bcfe530c622dc31eb20fb0859f51fb
SHA256

7f5a5bb95531c332bf2bf123a14bef547a11172aed9a169c670f96a35ee8813c
SHA512

6ff25cb6caffbcc1f547b70017cb28b12d0923230355d5e862dadef45fc282aa07888d1f8223d15255097f24f70259c3a3fcde5f07ebcf8302ea2fb7b79b251f
SSDEEP

3072:+SGSAcPqnQ10dR35Q93jAOS9lHhD750uLA1jlbeHUTyBFxDGTyYOfcKS1ufeW:+LcPqn5REDilFlhBPDqyYOfcKS1

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2896	serve.exe
1292	qwqrrr2e.Exe
1200	qwqrrr2e.exe
32	ctfnom.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234a1-8.dat	upx
behavioral2/memory/2896-15-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1200-31-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1200-36-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1200-34-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-46-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1200-51-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2896-53-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-63-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-85-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-107-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-130-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-152-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-174-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/32-195-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfnom = "C:\\Users\\Admin\\AppData\\Roaming\\Dir\\ctfnom.exe"	ctfnom.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 1200	1292	qwqrrr2e.Exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qwqrrr2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfnom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qwqrrr2e.Exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1200	qwqrrr2e.exe
2896	serve.exe
1200	qwqrrr2e.exe
2896	serve.exe
32	ctfnom.exe
32	ctfnom.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2896	serve.exe
1292	qwqrrr2e.Exe
1200	qwqrrr2e.exe
1200	qwqrrr2e.exe
2896	serve.exe
32	ctfnom.exe
32	ctfnom.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 2896	916	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe	84
PID 916 wrote to memory of 2896	916	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe	84
PID 916 wrote to memory of 2896	916	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe	84
PID 916 wrote to memory of 1292	916	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe	85
PID 916 wrote to memory of 1292	916	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe	85
PID 916 wrote to memory of 1292	916	c203053d382faa0c7197850b8502929c_JaffaCakes118.exe	85
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 1292 wrote to memory of 1200	1292	qwqrrr2e.Exe	86
PID 2896 wrote to memory of 32	2896	serve.exe	87
PID 2896 wrote to memory of 32	2896	serve.exe	87
PID 2896 wrote to memory of 32	2896	serve.exe	87

C:\Users\Admin\AppData\Local\Temp\c203053d382faa0c7197850b8502929c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c203053d382faa0c7197850b8502929c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\serve.exe
  "C:\Users\Admin\AppData\Local\Temp\serve.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\Dir\ctfnom.exe
    C:\Users\Admin\AppData\Roaming\Dir\ctfnom.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:32
- C:\Users\Admin\AppData\Local\Temp\qwqrrr2e.Exe
  "C:\Users\Admin\AppData\Local\Temp\qwqrrr2e.Exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\qwqrrr2e.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qwqrrr2e.Exe

Filesize
77KB

MD5
bd7d6aff3e763aa2314eb93ebb95e603

SHA1
abb720cc1b701a7e8ec418bcfc37aa7d91be3e94

SHA256
27601e469d4069a69a394c636d1ce5b1710f028da8220c84c8878c795e324000

SHA512
024d5dc75e03afba7a20b95ff6274c5f3c21a6b0dca9d58d735c697bba3fe60fd12d89b73f7e58b8cfd380fd8beb64ac3fd20e1e81d3a3687fd318d6b4fcf607

Download Submit
C:\Users\Admin\AppData\Local\Temp\serve.exe

Filesize
70KB

MD5
b606603a943ca89319ee23c89d2a7831

SHA1
a25323fa3b44e5ae814e9b15de4319eba6553900

SHA256
df5ac8becc806b3788db9c58f717fd938f5db0cf11a6e630811c04cbee6a0bb1

SHA512
9a63f6b06f2e5bb714e3fef8fe7e72c4bcbcc6d9f5d4dfbe21c1ecf190377c809781f2502cf9014f888b9f2bde5fe79abd16a8cff624ad35bd5f38d905b201d6

Download Submit
C:\Users\Admin\AppData\Roaming\Dir\Dated.dat

Filesize
4B

MD5
cb492b7df9b5c170d7c87527940eff3b

SHA1
66928e6cbb59c3a3bce606959ef4a865fe04e642

SHA256
dba5166ad9db9ba648c1032ebbd34dcd0d085b50023b839ef5c68ca1db93a563

SHA512
ce677db6ae33c5496874a2902d30d361f6cf12576e96bd8a9f6626a0ca29f0b4f97e403e54711d24ebf34d4e183235a8f9951345d32a20f2dad476d911ee7e06

Download Submit
memory/32-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-195-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-46-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/32-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/916-1-0x000000001B280000-0x000000001B326000-memory.dmp

Filesize
664KB

Download
memory/916-2-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/916-26-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/916-4-0x00007FFE7EC90000-0x00007FFE7F631000-memory.dmp

Filesize
9.6MB

Download
memory/916-0-0x00007FFE7EF45000-0x00007FFE7EF46000-memory.dmp

Filesize
4KB

Download
memory/1200-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-51-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-34-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-36-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1292-40-0x0000000000400000-0x0000000000406001-memory.dmp

Filesize
24KB

Download
memory/1292-25-0x0000000000400000-0x0000000000406001-memory.dmp

Filesize
24KB

Download
memory/2896-53-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads