f3fb5dc933c775cd39cf91ea88d532d5dc412c0878b6f40566c93078fe54a5f0

General

Target

cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe
Size

1.6MB
MD5

cfd7fb6cda0e632db6b6e207054b5c6e
SHA1

4fef277781cc71b43640f073377e99b03ffca6de
SHA256

f3fb5dc933c775cd39cf91ea88d532d5dc412c0878b6f40566c93078fe54a5f0
SHA512

257fc3d3c2b43f3b4eac29db57e07033943fdac47139167d19e8afa17b300e8177d3b94e8f211c72e99519eaed399990b6d21e220441330e6c2b97f20fc61a87
SSDEEP

49152:YZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9M:YGIjR1Oh0Tg

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3456	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3456	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe
1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe
1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe
1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4028	1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe	90
PID 1752 wrote to memory of 4028	1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe	90
PID 1752 wrote to memory of 4028	1752	cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe	90
PID 4028 wrote to memory of 3456	4028	cmd.exe	92
PID 4028 wrote to memory of 3456	4028	cmd.exe	92
PID 4028 wrote to memory of 3456	4028	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfd7fb6cda0e632db6b6e207054b5c6e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5838.bat" "C:\Users\Admin\AppData\Local\Temp\5CEACE0C888B4E748FC0185C3F7BC825\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5838.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CEACE0C888B4E748FC0185C3F7BC825\5CEACE0C888B4E748FC0185C3F7BC825_LogFile.txt

Filesize
2KB

MD5
539254ce5cee076b42a0e2b547a63c93

SHA1
66c1c972e0a622e1445c953bbcf79c8a246f6eb0

SHA256
7e2219c8452e00de3d43db03ff93a83f61f054a46c1576160ef24061a93993d1

SHA512
0607cd833e6631b1f7fbd1b31a1d8ec83e1a472043baa385c787a47d5cfeb443bd722fd2eebff52db8eda811f743b1f432f18ee0fa4a5be03260479dc9e9e2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CEACE0C888B4E748FC0185C3F7BC825\5CEACE0C888B4E748FC0185C3F7BC825_LogFile.txt

Filesize
9KB

MD5
bbe7a0598bb8a815ca89bf5cdef37f73

SHA1
0edf914aba093328d5e01daffc39a1b8cef3f925

SHA256
cf0a80025548b11a8cc5832f14263b0c43bb8e397f3cf412223661073b2db178

SHA512
22704259991822e5ad34f8e092c9a37ebda84e06fb76c6349ee085e1a0d9fa4e4ba99b292a6f97e3c4a688264e1ca35fec98c2e4bc2e3ba564461877ab99c32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CEACE0C888B4E748FC0185C3F7BC825\5CEACE0C888B4E748FC0185C3F7BC825_LogFile.txt

Filesize
674B

MD5
3dcb1cc9b399976afc698f3086af36c0

SHA1
5dc0c4d6f4233000833c085e7a5bd62f1451795a

SHA256
5b921540d4c132d63918e9ea617e13fa620fea11980c8cab4981fed7f92e3fb1

SHA512
84524515d05f4115ef20a8c1fed57360c9622d80620a33e138941d0ce44731218d416b5016b9a235269f2aad670e0dab6915cb2cfa19fe6fb6d2528eef2542e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CEACE0C888B4E748FC0185C3F7BC825\5CEACE~1.TXT

Filesize
118KB

MD5
2135cc0c78c412b0e3c751fce126d713

SHA1
b9fff5581b5345e30c62735d1a8fcff1aa1bc4fc

SHA256
7e8621780d4b86f1060faf90eca2b207a7d4c20ffe2cd81ed172378376dc0b7d

SHA512
e6c399cf5cf091a28d10c0293482ea862e16a77bb58538bffa92b69cb41af2cc149cf110fc0b8a7c8c36a54998ce7d163de90096c7a6b7fefdfb584258b3046e

Download Submit
memory/1752-63-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads