83656ff5ffbb33d129392ca7c3e0e3398de2f841494574fd96cb8d0c977f4157

General

Target

c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
Size

1.8MB
MD5

c21ba4c47155b0eec10cd5c1a0a7f616
SHA1

5d003a8c2bd56015769e876367cbf40b39823df8
SHA256

83656ff5ffbb33d129392ca7c3e0e3398de2f841494574fd96cb8d0c977f4157
SHA512

da1d11b1aa085775753e8c4bf16cf7ef28e0cf144a18d0026b9d4f130e5550286cb9b1096cd0aaf17d29fd082cf4dba9de009a006237f4ffc0ab9609029c0967
SSDEEP

49152:5onQRdCCH5FcctL5HBZJ8IOBEeWsMCBQHX/w+gl2Di5l0j2iFyk:5ocHHcctNBZJ8IOtRMCBQHXY+gcG5ejP

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3132	hpukqtbdks.exe
1328	hpukqtbdks.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1856-0-0x00000000008B0000-0x0000000000ADF000-memory.dmp	upx
behavioral2/memory/1856-7-0x00000000008B0000-0x0000000000ADF000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\XiGuaPhoto\is-16PN8.tmp	hpukqtbdks.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-03SN5.tmp	hpukqtbdks.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\WICLoader.dll	hpukqtbdks.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\webp.dll	hpukqtbdks.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\unins000.dat	hpukqtbdks.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-TJ6JL.tmp	hpukqtbdks.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-8BTA6.tmp	hpukqtbdks.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\unins000.dat	hpukqtbdks.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\XGViewer.exe	hpukqtbdks.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-EP956.tmp	hpukqtbdks.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-GK6E6.tmp	hpukqtbdks.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpukqtbdks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpukqtbdks.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
1328	hpukqtbdks.tmp
1328	hpukqtbdks.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1328	hpukqtbdks.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1804	1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe	85
PID 1856 wrote to memory of 1804	1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe	85
PID 1856 wrote to memory of 1804	1856	c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe	85
PID 1804 wrote to memory of 3132	1804	cmd.exe	88
PID 1804 wrote to memory of 3132	1804	cmd.exe	88
PID 1804 wrote to memory of 3132	1804	cmd.exe	88
PID 3132 wrote to memory of 1328	3132	hpukqtbdks.exe	89
PID 3132 wrote to memory of 1328	3132	hpukqtbdks.exe	89
PID 3132 wrote to memory of 1328	3132	hpukqtbdks.exe	89

C:\Users\Admin\AppData\Local\Temp\c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c21ba4c47155b0eec10cd5c1a0a7f616_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\hpukqtbdks.exe" /VERYSILENT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\hpukqtbdks.exe
    "C:\Users\Admin\AppData\Local\Temp\hpukqtbdks.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\is-MI3RT.tmp\hpukqtbdks.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MI3RT.tmp\hpukqtbdks.tmp" /SL5="$A002A,548300,54272,C:\Users\Admin\AppData\Local\Temp\hpukqtbdks.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpukqtbdks.exe

Filesize
834KB

MD5
e25719cce0f09a6a9469f9938c5bbc0d

SHA1
12ee46b8b074ae8005f3049ec2c17da63d3db8c3

SHA256
f860e5c669593498501214479f6964c619942b3a1e783b2368e7212f941d60fb

SHA512
8034b89797006f31092e04cbb0229b1d3d776a959e1be8c36f564f0cb21714dc5519c90abb944f5be49a77c31b98987aa1a38a1618a7d963a1c4f8217db42b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MI3RT.tmp\hpukqtbdks.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/1328-21-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1328-47-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1856-0-0x00000000008B0000-0x0000000000ADF000-memory.dmp

Filesize
2.2MB

Download
memory/1856-1-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/1856-7-0x00000000008B0000-0x0000000000ADF000-memory.dmp

Filesize
2.2MB

Download
memory/3132-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3132-13-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3132-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing