619ee6d2bfd16f417bff152559727bbc388a4e4498766e3b079147deaf0f7ba8

General

Target

d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe
Size

12.3MB
MD5

d06829e175fd1e4aaa5e09e24e08ac6e
SHA1

9a00709ef1aef5f94a85c37a6b1798a2f68b03dc
SHA256

619ee6d2bfd16f417bff152559727bbc388a4e4498766e3b079147deaf0f7ba8
SHA512

93fadf0b2e5771457810524cc726524df0bec9fb12c593e8933cce549a2dcbaf1d4046a0e3a9bbdf3283d8df1700a67450efdfba43ffd6101b74f6c9cfaef0c8
SSDEEP

393216:I+DFeUY/SX+PlH24tx9cMJd90EVb1nadZXTq/D:a9cu0EVb1nadZXTmD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fwzsgo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4404	fwzsgo.exe
2268	SFWebStatistics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwzsgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SFWebStatistics.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SFWebStatistics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SFWebStatistics.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe
2268	SFWebStatistics.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4404	fwzsgo.exe
4404	fwzsgo.exe
4404	fwzsgo.exe
4404	fwzsgo.exe
4404	fwzsgo.exe
4404	fwzsgo.exe
2268	SFWebStatistics.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4404	4080	d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe	86
PID 4080 wrote to memory of 4404	4080	d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe	86
PID 4080 wrote to memory of 4404	4080	d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe	86
PID 4404 wrote to memory of 2268	4404	fwzsgo.exe	88
PID 4404 wrote to memory of 2268	4404	fwzsgo.exe	88
PID 4404 wrote to memory of 2268	4404	fwzsgo.exe	88

C:\Users\Admin\AppData\Local\Temp\d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d06829e175fd1e4aaa5e09e24e08ac6e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\fwzsgo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\fwzsgo.exe" /VERYSILENT /SP-
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\SFWebStatistics.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\SFWebStatistics.exe" 1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\InitCfg.dat

Filesize
67B

MD5
41195778bd6d7f0e008ad94ee92c1bad

SHA1
9b3c1bb9c84d67da53db2f4056684b02acbe5e4c

SHA256
7cf24f2e31cc94fa1430a9cc80cb8d758d20810b0dffc3138e1dea649f804966

SHA512
0afec6b68f93dc726954e0ad1512b00844dd230656a888b2e922630f3c657c8d86c231a9fa40cdd4c08e71e327b63ae20e5bffcd20495d1fd693827935497a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\SFWebStatistics.exe

Filesize
1.7MB

MD5
e8cdc84941d4f7721f2c3fa5cab5b978

SHA1
a83ad8043eb0a17811321e001c84d8c266b41635

SHA256
2b0dfc87145c7498ea2c8abcb2893728090b42324091f4107c45362a27788153

SHA512
7a32517874b840e25ddac3648886f4652ab0a4a028221053dfa7ca721273bebb4ae52f446ae8ba6055d04a3feb1f47efbe265ab30e12f38870fd190d17ff2f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\fwzs\Bin\InitCfg.dat

Filesize
143B

MD5
22fb4ac9bb2e71f3ecdcfe8a3b1e695c

SHA1
4b18d094d2d635d2b9720dad32d5cd62d9a3feb1

SHA256
c20d8b091b4a4398661b7ceaa4296da2a31927dd18f888cd1c41d9474d100ee5

SHA512
72f5517edfe902543b0f7b86aa14a63defcc41df3f9ea5fa5e9294a90ff96524a0daffa4577307b9f2422466031334507967e296341ca9aa179d09bc6cac127e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\fwzsgo.exe

Filesize
907KB

MD5
9c612b8c44d4de2a5912ccd1b7d134d4

SHA1
6a92508dd916a7a12dbc84d5083c42dfcc7f6c2b

SHA256
f31725243e97f7a6f580a20647bdcc35d61e468ee55bba06f9b865a04a880721

SHA512
67bec0504e930012256bb62fec8c2517dd988ed016143b0a755fd3d6735547a3cc2f86f821747ac46f244e7b7f544120e4d22cfb10bdf82002f37140f0103fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\skin\CenterBk.png

Filesize
5KB

MD5
6b6d50e9d5700e83eb6cd100dfeb9c63

SHA1
25696e58844ff25206194922ec802fc2252f96d9

SHA256
332dbd05c69105b690fd58ccc0dff32056c52d2426d7f73604beb74b590f3392

SHA512
bf539965060f8f99b79f8f903ef29a2116f27880c3261db8ead1fc70320af3d1b27d1a9f52b4b7ff940f24a570ef3ddddc64b0e6ce0f46bbfed90a6cf58aef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\skin\png1.png

Filesize
31KB

MD5
74e3e448d025b9bd90a7a769b73cd60f

SHA1
494b418419b5388be59b3627b8cde425a29a547e

SHA256
c8444fbd96568b6a8a6dc7a58d0f3e00c0c6b96585e65f3e641150e0b36fbec5

SHA512
aa4c4b64258e1d497db63250cd405b39bad7d2fa6d7600de4be5f89b0d92bbdf0ac0fe6e1653732d0c5a27b7bb05c54b120250e4c7605039858f2dd636ed84d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fwzs\skin\png2.png

Filesize
21KB

MD5
4fd8be53df81e059ea498d8e2a77c287

SHA1
da0bd375c445a8c58f989ebac4832c59b3c26590

SHA256
928c6c54ee96c1f7951f41140210163bf1878758d8faf9eebd3a49a621a6e187

SHA512
01b3ad2d70565c02ef9693176a95018dffedaaefde0ab627a362aaee06fc7fa20dfe5e1358d99ed65dabe242c7b3e8c2282aebeed5eedd2cbb2adf6ed1502353

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads