300193a94005925547c3d7b0b4e0460db6ec119082e2d4fc05558894f4ec837d

General

Target

c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
Size

872KB
MD5

c7eaa037368662cd6a645a6e0c0f7fec
SHA1

3b47345ec9806a48786a9d8771b4b0a1a597107b
SHA256

300193a94005925547c3d7b0b4e0460db6ec119082e2d4fc05558894f4ec837d
SHA512

a434bdebb4b7b50170e906c547bb887a112b4794ed5e686445d3ef9e3e326a67109b3ea062ac38340082113b2914b7e4c20dee93bda026fec51625f52dd1fc36
SSDEEP

24576:u8ETUGNW7WJmt6VuHUD2nIVijiFM/k/6l+xs1URuNQ5CLuByHehATUrohab6RK9H:cTUGNW7WJmt6VuHUD2nIVijiFM/k/6le

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
324	Ins678F.tmpinstall.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4392	MSIEXEC.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ins678F.tmpinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4392	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4392	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4392	MSIEXEC.EXE
4392	MSIEXEC.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
324	Ins678F.tmpinstall.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 324	5004	c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe	92
PID 5004 wrote to memory of 324	5004	c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe	92
PID 5004 wrote to memory of 324	5004	c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe	92
PID 324 wrote to memory of 4392	324	Ins678F.tmpinstall.exe	102
PID 324 wrote to memory of 4392	324	Ins678F.tmpinstall.exe	102
PID 324 wrote to memory of 4392	324	Ins678F.tmpinstall.exe	102

C:\Users\Admin\AppData\Local\Temp\c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\Ins678F.tmpinstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Ins678F.tmpinstall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://dlf.pafke.eu/client/pkgs/springbok2/Springbok Casino20191018030325.msi" DDC_DID=3372131 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=3372131%26CASINONAME=springbok2 DDC_UPDATESTATUSURL=http://190.4.88.169:8080/springbok/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.88.169:8080/springbok/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=referrer CUSTOMVALUE02=Direct%20Traffic SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins678F.tmpinstall.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ins678F.tmpinstall.exe

Filesize
1.2MB

MD5
d18274436790f5b080b06213bd518772

SHA1
71d63e4fc0d685168888f98937fb8377f65946cb

SHA256
d4699b6d2aa6dfd33319afdb1fdc2f72776ab432acacf8f6d35f59e22c416e54

SHA512
99e1624aec19b41b62214f675d7b317510de364bc7d643ce55fbde7e7f54524ee17434823a1e66584f34bf5884a7eb21e5c72854ed9304884687594ecda15f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is6AFF.tmp

Filesize
1KB

MD5
ab12ed683e2123972b2367f7bcc9e1d1

SHA1
39f5295e814b04e0c73e48c1a3cdb7ada955b69a

SHA256
58358cba02428bddb6a0b7517a96abe2ba30a8edf59b8289beb3f3defcc63bb8

SHA512
86ea2240b06df985c5428a8c8227c264867edec8a4be5eb818b23ed35ad07b8143edd302c285fce77eeaa884348ca0c98336822fc4c6fdfd3464955e8dde097f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38F4FAD3-A283-40FA-A728-B992421408FD}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38F4FAD3-A283-40FA-A728-B992421408FD}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6AFC.tmp

Filesize
5KB

MD5
b880af62de4fbdcf49f0071092133ecc

SHA1
f229a3388ff2a34b0723bf1532b430ad9cda2a61

SHA256
37f07ffba5ec4cf3b0c9cc18add087493d281f2f86f801fed6f5d39ab889b65c

SHA512
460685297136af65bed406ef199f30eed457062bf985b3c9b85d214f755f94beb5240bd592616589c31dea7d901b4299c8f40a6896cbe9d425d3890d1e98e267

Download Submit

Analysis

Sharing