17ed311362880673f6d0e328eb3d5ec1a15b4cb27ba9eebf0643dc50b43e1ab6

General

Target

d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Size

97KB
MD5

d3459f8aba51420f46fec4ec43554567
SHA1

7261419061dca47ee9277e0f8e90e921764b51d0
SHA256

17ed311362880673f6d0e328eb3d5ec1a15b4cb27ba9eebf0643dc50b43e1ab6
SHA512

05097b35f97c1679ec730713a4a870a1b04e701498e36fac78e5018aa36ffdb8e7012a2347c887bf255d187fb6ce578fc09582a68f16772d901136a98e555156
SSDEEP

3072:6D7T8VxHhZrUdI+CDfeqwhmHFqgOrBEuK8k/R:6DsVxBWI+gfe/RgySmMR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4300	Ri67yukP.exe
4880	Ri67yukP.exe
2604	Ri67yukP.exe
1608	Ri67yukP.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	109.230.217.44
Destination IP	109.230.217.44
Destination IP	109.230.217.44
Destination IP	109.230.217.44
Destination IP	109.230.217.44
Destination IP	109.230.217.44
Destination IP	109.230.217.44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ri67yukP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode 1 TTPs 8 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 8 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Ri67yukP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	Ri67yukP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4300	3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	87
PID 3032 wrote to memory of 4300	3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	87
PID 3032 wrote to memory of 4300	3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	87
PID 3032 wrote to memory of 1988	3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	97
PID 3032 wrote to memory of 1988	3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	97
PID 3032 wrote to memory of 1988	3032	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	97
PID 1988 wrote to memory of 4880	1988	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	98
PID 1988 wrote to memory of 4880	1988	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	98
PID 1988 wrote to memory of 4880	1988	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	98
PID 1988 wrote to memory of 980	1988	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	99
PID 1988 wrote to memory of 980	1988	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	99
PID 1988 wrote to memory of 980	1988	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	99
PID 980 wrote to memory of 2604	980	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	100
PID 980 wrote to memory of 2604	980	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	100
PID 980 wrote to memory of 2604	980	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	100
PID 980 wrote to memory of 4924	980	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	101
PID 980 wrote to memory of 4924	980	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	101
PID 980 wrote to memory of 4924	980	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	101
PID 4924 wrote to memory of 1608	4924	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	102
PID 4924 wrote to memory of 1608	4924	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	102
PID 4924 wrote to memory of 1608	4924	d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\ProgramData\Ri67yukP.exe
  "C:\ProgramData\Ri67yukP.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\ProgramData\Ri67yukP.exe
    "C:\ProgramData\Ri67yukP.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\ProgramData\Ri67yukP.exe
      "C:\ProgramData\Ri67yukP.exe"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d3459f8aba51420f46fec4ec43554567_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\ProgramData\Ri67yukP.exe
        
        "C:\ProgramData\Ri67yukP.exe"
        5⤵
        Executes dropped EXE
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ri67yukP.exe

Filesize
97KB

MD5
d3459f8aba51420f46fec4ec43554567

SHA1
7261419061dca47ee9277e0f8e90e921764b51d0

SHA256
17ed311362880673f6d0e328eb3d5ec1a15b4cb27ba9eebf0643dc50b43e1ab6

SHA512
05097b35f97c1679ec730713a4a870a1b04e701498e36fac78e5018aa36ffdb8e7012a2347c887bf255d187fb6ce578fc09582a68f16772d901136a98e555156

Download Submit
memory/980-55-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/980-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-35-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-36-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1988-46-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2604-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3032-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3032-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3032-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3032-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3032-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3032-25-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3032-26-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3032-1-0x00000000021C0000-0x0000000002290000-memory.dmp

Filesize
832KB

Download
memory/4300-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4300-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4300-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4880-38-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads