6d0f958596f72608fa7263552583a1802673f135b5886545b60320cd60384bea

General

Target

d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe
Size

1.7MB
MD5

d01be792134387bfa12c4c4db206338a
SHA1

edb80fd21c9d3082359e44cd244801c07902f28b
SHA256

6d0f958596f72608fa7263552583a1802673f135b5886545b60320cd60384bea
SHA512

4377a4ccee73e4e7448e4460792845bca36a202db8ecc86bf70f95fc164116d979b93fe4e5eab4334ca3143c73f5f797eb9a4aa5d3afbe4980a56407c88831a7
SSDEEP

49152:Hca33cLLfJhPYHMIclNA5uAOlTM9rMEkOhPGO:HcaHcXHPYHM9uJOlTMd/kOz

Score

7^/10

aspackv2 discovery vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023461-19.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4380	xy03.exe
4284	3317.exe
3452	DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe

Loads dropped DLL 1 IoCs

pid	Process
4380	xy03.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/5076-0-0x0000000000400000-0x000000000072C000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023461-19.dat	vmprotect
behavioral2/memory/4380-22-0x0000000074230000-0x000000007423F000-memory.dmp	vmprotect
behavioral2/memory/5076-35-0x0000000000400000-0x000000000072C000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lqcyc52.cyc	xy03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5008	4380	WerFault.exe	85
4900	4284	WerFault.exe	86
4196	4380	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xy03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3452	DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe
3452	DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe
3452	DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe
3452	DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4380	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	85
PID 5076 wrote to memory of 4380	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	85
PID 5076 wrote to memory of 4380	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	85
PID 5076 wrote to memory of 4284	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	86
PID 5076 wrote to memory of 4284	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	86
PID 5076 wrote to memory of 4284	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	86
PID 5076 wrote to memory of 3452	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	90
PID 5076 wrote to memory of 3452	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	90
PID 5076 wrote to memory of 3452	5076	d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\xy03.exe
  "C:\Users\Admin\AppData\Local\Temp\xy03.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 316
    3⤵
    - Program crash
    PID:5008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 364
    3⤵
    - Program crash
    PID:4196
- C:\Users\Admin\AppData\Local\Temp\3317.exe
  "C:\Users\Admin\AppData\Local\Temp\3317.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 216
    3⤵
    - Program crash
    PID:4900
- C:\Users\Admin\AppData\Local\Temp\DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe
  "C:\Users\Admin\AppData\Local\Temp\DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4380 -ip 4380
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4284 -ip 4284
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 4380
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3317.exe

Filesize
181KB

MD5
afa2caa743aec940e3122361fb6ae5fa

SHA1
88b4888ef21e523ec6fe05e5f456b1c446e818b8

SHA256
98f4fdd3d20f3dc0b9f104f23a6a8c8bc4f6a57ceac0b58b09d51ad4bd79b0c9

SHA512
2edeba6d9b880ed41327abd38e22ca0748ed826606f19f66321946d029fe1b9c4b8ae14c5a65cade84fbfc8c358560ff553190a06ee408f8fb5c42af55ca84ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNFÉñµ¶±äÌ¬ÎÈ¶¨0404°æ.exe

Filesize
1.7MB

MD5
d66bd60d5a2bfb349b7dc05f3063a674

SHA1
9df52a5734302a5d2548b3a9de6282b448acaa3d

SHA256
aadcde894a77d7e2c6637b81a25c33aa2cc558b16b40357bf7917a60a4a05383

SHA512
87fd6483244f3f96949c7bc3477abe6279e88e63442f7bfd582bb6df50c40e68b6822c2139e264153f15513de1a7711520b98adaddd69c574b11f769fbcf7c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\xy03.exe

Filesize
42KB

MD5
529f6856d13d44057464afb139275bfb

SHA1
b76107164f06b680d987f6b013b77cbe86e63050

SHA256
17110d06615b68051f348b47209966a682cd21cc6ae1e139768e9b872e4865a9

SHA512
2646b478dc3a37b9c67b679219bd15030c0c47ef8c3e613bb85f8be33499af9ba50383a740f0c4d6f0cb0fbd961973697cbe6e1061150763dd0c9bf37e3915fa

Download Submit
C:\Windows\SysWOW64\lqcyc52.cyc

Filesize
31KB

MD5
3fe1d495631b1c996a48ea09443d6c2f

SHA1
44d38ec492f2527729813d8dccc70baa63ed0ac4

SHA256
825ab9878222dda86a85ed5ccdb3000a48221c307334d60703fcf3f186248941

SHA512
dfb2a48bba96c340ecd1aedd64d3a5a029f6811b2b4c639f3cc14fad6e6b1a911e712b6a4329741eb7d1ba973d3e654f968c37af25133905938ad47e93bce507

Download Submit
memory/4284-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4380-18-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/4380-22-0x0000000074230000-0x000000007423F000-memory.dmp

Filesize
60KB

Download
memory/4380-48-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/5076-0-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/5076-35-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing