3d6026b608127d1be80967e4bb72c435849a8bf4a29a0a2f362cfa67b96e55da

General

Target

d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe
Size

1.6MB
MD5

d52d140f5a9fc17c8a39f899c9078d4e
SHA1

787a3f2b9ccf5b75dac66ee6a713c7f0379911ad
SHA256

3d6026b608127d1be80967e4bb72c435849a8bf4a29a0a2f362cfa67b96e55da
SHA512

6d59936772ed5fcedec1e611c707aa0b26161e56da7ce1ef63cd03caac7a101b88b2d4b53c1ed64594c0c3855c2255f6162c4f47f6ea56b00413850befb77b9d
SSDEEP

49152:GJwukiAFOrk6TXh1/7xUOLRTlpS+JOiwKTH9P:GO6Tx1DL4N0

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2840	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2840	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe
4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe
4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe
4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4312	4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe	87
PID 4536 wrote to memory of 4312	4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe	87
PID 4536 wrote to memory of 4312	4536	d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe	87
PID 4312 wrote to memory of 2840	4312	cmd.exe	89
PID 4312 wrote to memory of 2840	4312	cmd.exe	89
PID 4312 wrote to memory of 2840	4312	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d52d140f5a9fc17c8a39f899c9078d4e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2729.bat" "C:\Users\Admin\AppData\Local\Temp\D5F110509F05473C89C1C9DCB5017586\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2729.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F110509F05473C89C1C9DCB5017586\D5F110509F05473C89C1C9DCB5017586_LogFile.txt

Filesize
10KB

MD5
4963d6f160946f6e94dd26dd0c16a0b9

SHA1
4a6c5f75f1af7b78ac81ba99fa5e27efecaf4f31

SHA256
92b1962a00421e997cfd2cb172c0e069caba0b37456598e781ed58516c9c6220

SHA512
8ea29106710804b8161de901ab286035a1be8862adca6b32c501c285187d0c8c677daccdeb19412aafec2d0fc9668ac134a0bdaf6585ccaacf1ff8c4d4b90838

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F110509F05473C89C1C9DCB5017586\D5F110509F05473C89C1C9DCB5017586_LogFile.txt

Filesize
2KB

MD5
863c1a32d5ce815945464915e211089e

SHA1
821405dccd8c80a8ac35be0978864585dbd0380e

SHA256
a7435dc34c84e9d6add10386e4541aae6347c7addb8fa47b5c949f8f3f6a803f

SHA512
034f983141eb10c20a2f85fb8abd9cde4f4349663ca62fb960c9c504f2fe1481cd6feae9972b52d076cddc945adde7e44f8bcdf6b722e0eaefd3806d48b29fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F110509F05473C89C1C9DCB5017586\D5F110~1.TXT

Filesize
115KB

MD5
e33db2244b688cac054334a83cec443c

SHA1
660ff3c3acb4cf46cc92686c8bc154aad532ebf5

SHA256
52f7f37a3f3dfad38b0e6525ee4038203373831834401017361b704d72185ece

SHA512
6bd9e0b805599872323b95bdc8c0c4988e3f941b1c4053e0dbfa1b8b5fcb09c1d727c1616cd6f41f6f237209b9b9d346e1ffe4c021d753de845b89a7dfeedd2f

Download Submit
memory/4536-63-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/4536-238-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads