5a7ecb2e4eb3b66b92e7a5aae6054fe4b0949ae63f53c1d5abcfd62a9341eead

General

Target

c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe
Size

324KB
MD5

c828f91ec7017b4999031c577ebf5a84
SHA1

740e2bb0bf9064af4f49f1c5bb1c53371aee58a9
SHA256

5a7ecb2e4eb3b66b92e7a5aae6054fe4b0949ae63f53c1d5abcfd62a9341eead
SHA512

5e0f5ccb8a28b3b5254fd792062069e3c01e885b25b917fc4cb29c5f0952daed166b214541fe725573000167cc215ebf6b2c60c011fb07a972a608aff1c92087
SSDEEP

1536:tOJVn4JLlfLJ0UYFqeXx57B4JN5eCD8SlNDSSvHFRiCCVGCWPaeSe+eooOoaoCoS:QV4JLlfLIl7B4JN5eI4J

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DelA1ED.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3544	DelA1ED.tmp

Executes dropped EXE 1 IoCs

pid	Process
3544	DelA1ED.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\3323.vbs	DelA1ED.tmp
File created	C:\WINDOWS\3323.vbs	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DelA1ED.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	DelA1ED.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4072	4304	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe	85
PID 4304 wrote to memory of 4072	4304	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe	85
PID 4304 wrote to memory of 4072	4304	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe	85
PID 4304 wrote to memory of 3544	4304	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe	86
PID 4304 wrote to memory of 3544	4304	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe	86
PID 4304 wrote to memory of 3544	4304	c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe	86
PID 3544 wrote to memory of 3444	3544	DelA1ED.tmp	87
PID 3544 wrote to memory of 3444	3544	DelA1ED.tmp	87
PID 3544 wrote to memory of 3444	3544	DelA1ED.tmp	87

C:\Users\Admin\AppData\Local\Temp\c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\3323.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\DelA1ED.tmp
  C:\Users\Admin\AppData\Local\Temp\DelA1ED.tmp 736 "C:\Users\Admin\AppData\Local\Temp\c828f91ec7017b4999031c577ebf5a84_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\3323.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelA1ED.tmp

Filesize
324KB

MD5
c828f91ec7017b4999031c577ebf5a84

SHA1
740e2bb0bf9064af4f49f1c5bb1c53371aee58a9

SHA256
5a7ecb2e4eb3b66b92e7a5aae6054fe4b0949ae63f53c1d5abcfd62a9341eead

SHA512
5e0f5ccb8a28b3b5254fd792062069e3c01e885b25b917fc4cb29c5f0952daed166b214541fe725573000167cc215ebf6b2c60c011fb07a972a608aff1c92087

Download Submit
C:\WINDOWS\3323.vbs

Filesize
266KB

MD5
1861b0d15a96f0eab78821ef09f11398

SHA1
9931aec4e49a4075ce680ae5e69069f506f4383c

SHA256
0981eb96faa65fe1ea7afde1d97184d67970c06ed442919a1173b48e91ad5d54

SHA512
2b49cf513a546e43040fe63f99adf1d4cd49510a65c04d68122e398c9e1687fd5b29094261cc5265d92b740e8ee9fad46994a97d32ce86222abc7669afd97415

Download Submit

Analysis

Sharing