a860f0dc3d18d1e6fc0fa316cc363c23832868425d8489fcc1e443de19d864f8

General

Target

d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
Size

2.8MB
MD5

d53e1fd335365b1ef134d07eb861c402
SHA1

5d6616769a256a3b6cfcb242a8522157b8874d60
SHA256

a860f0dc3d18d1e6fc0fa316cc363c23832868425d8489fcc1e443de19d864f8
SHA512

d7cb5eac5d64b2e63af2d199c428e8d9bd3450e78910e6ef181a9e3a8e637e763a363da448f1eae07ed9b1567b3f41585999517d6743ead13a4f4d5b586a1711
SSDEEP

49152:OJgd73Il7j/h+n1qB3qKXhnbyMMku5vEFTyfvIdFo37mGGRIWpZ:b2/hQV+hnBM7E0fw8mDRbpZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1344	ANTILAG.EXE
1940	ANTILAG_SETUP.EXE
2480	is-QSGLE.tmp

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANTILAG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANTILAG_SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-QSGLE.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	ANTILAG.EXE
1344	ANTILAG.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	ANTILAG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 2092 wrote to memory of 3328	2092	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	83
PID 3328 wrote to memory of 1344	3328	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	86
PID 3328 wrote to memory of 1344	3328	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	86
PID 3328 wrote to memory of 1344	3328	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	86
PID 3328 wrote to memory of 1940	3328	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	87
PID 3328 wrote to memory of 1940	3328	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	87
PID 3328 wrote to memory of 1940	3328	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	87
PID 1940 wrote to memory of 2480	1940	ANTILAG_SETUP.EXE	89
PID 1940 wrote to memory of 2480	1940	ANTILAG_SETUP.EXE	89
PID 1940 wrote to memory of 2480	1940	ANTILAG_SETUP.EXE	89

C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\ANTILAG.EXE
    "C:\ANTILAG.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\ANTILAG_SETUP.EXE
    "C:\ANTILAG_SETUP.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\is-798O0.tmp\is-QSGLE.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-798O0.tmp\is-QSGLE.tmp" /SL4 $70114 "C:\ANTILAG_SETUP.EXE" 558287 188928
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ANTILAG.EXE

Filesize
31KB

MD5
406a199cb8e3f2a56fedbc6a47e12685

SHA1
ebf91f67d7f6058b798970f777fe4298e1751f8f

SHA256
beaead6b3de120eb0e813f8ee5151d3ca35158e86160ca6c284aa5e523d56458

SHA512
82a586e1312a496a0b7e0d59a05478a32dbb386aec98975e94308f0534bc5234e61997f4d81567be50181b8523d8604db9ab606de6c24b3cefdd66869a96dda9

Download Submit
C:\ANTILAG_SETUP.EXE

Filesize
816KB

MD5
1ed9814430fbc71dcd945e5b301869b2

SHA1
f1321b86961236ef2ee784d6e7d3458c626cdd71

SHA256
2330449f8c4078af0055678bcff93119cd14468862d7b9ac028dc1c3f6bef466

SHA512
81f191bcd10420a3e7c07119bc8d773c23a2dac5407dc3a07cdaaa08cb4ec61c4398aa892f9f116c39b5dacf1df0de07febf11368f4e49556d57afdea06ece92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-798O0.tmp\is-QSGLE.tmp

Filesize
786KB

MD5
fc10aac848e111b8d7638c259f36b772

SHA1
036f95dc3ce96047b27137b8a0a4149aebc549b2

SHA256
9ed0d7858b59ca6d7261ae10c5127feaf384e87556fd2f7329c1768fffa682fe

SHA512
be795088394d843685aa3106e0171054a141c1a300a399fc1be9ebdeb36cbc73d866f2251fc56525b93e5ce11c601a5af680ab7eb7f113f4c15a542ea72668d7

Download Submit
memory/1344-43-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/1344-42-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1344-15-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/1344-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1940-31-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1940-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-41-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2480-46-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3328-26-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3328-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3328-4-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3328-5-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/3328-2-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing