f76f53906f4af56d21e94820c5f263e83f7ad5b44b7a2fa75a33fb2aacf64fac

General

Target

d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
Size

168KB
MD5

d3bc5b67a53b6d08886755aaa1df2da4
SHA1

c0d1a4b9d5bdcc7bb47ee0ca4324ec1c1f6dc801
SHA256

f76f53906f4af56d21e94820c5f263e83f7ad5b44b7a2fa75a33fb2aacf64fac
SHA512

fb6371c75aded502d5bbfb5ec72b5b558a947b4958922853dd9ba71c3c2e6198f2da41fd979b0d846a804646bbf252a02b011e82a9780cacfb23de2cc471828d
SSDEEP

3072:QwjmK0lZmJLSIfQy4ueKep31ndyp6W6RLeYwAEc9Z7XTadCoz79EFWFMqE8:QbNhI4y4ueK63VdI6W6RLfTEG70CozYs

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3672	keygen.exe
344	ic1.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023466-5.dat	upx
behavioral2/memory/3672-8-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-36-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-39-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-40-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-41-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-42-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-43-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-44-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-45-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-46-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-47-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-48-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-49-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-50-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-51-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3672-52-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1008	AUDIODG.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3672	4404	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	82
PID 4404 wrote to memory of 3672	4404	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	82
PID 4404 wrote to memory of 3672	4404	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	82
PID 4404 wrote to memory of 344	4404	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	87
PID 4404 wrote to memory of 344	4404	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\nsg96F2.tmp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\nsg96F2.tmp\keygen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\nsg96F2.tmp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\nsg96F2.tmp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x454
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg96F2.tmp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg96F2.tmp\keygen.exe

Filesize
125KB

MD5
8e9081cbbbe09c181fd16eeab67ddf6d

SHA1
25c7e8464f51d3ee511ba059d446b27004734562

SHA256
41fc5e08dad9818b2e6e815c3672a9554776207c40a441625aa39c8374e95569

SHA512
b99387681d1b0c9a23cd81589268da7406b0cf29f47847a125f444198cb588c7bae738c0aea34342419feff0805ae19259ffa0917f46ac8437c3cb2e97b58ada

Download Submit
memory/344-38-0x00007FFDF17C0000-0x00007FFDF2161000-memory.dmp

Filesize
9.6MB

Download
memory/344-37-0x00007FFDF1A75000-0x00007FFDF1A76000-memory.dmp

Filesize
4KB

Download
memory/344-24-0x00007FFDF1A75000-0x00007FFDF1A76000-memory.dmp

Filesize
4KB

Download
memory/344-26-0x00007FFDF17C0000-0x00007FFDF2161000-memory.dmp

Filesize
9.6MB

Download
memory/344-27-0x00007FFDF17C0000-0x00007FFDF2161000-memory.dmp

Filesize
9.6MB

Download
memory/344-28-0x000000001C550000-0x000000001CA1E000-memory.dmp

Filesize
4.8MB

Download
memory/344-29-0x000000001CB20000-0x000000001CBBC000-memory.dmp

Filesize
624KB

Download
memory/344-30-0x00000000019C0000-0x00000000019C8000-memory.dmp

Filesize
32KB

Download
memory/344-31-0x000000001CC80000-0x000000001CCCC000-memory.dmp

Filesize
304KB

Download
memory/344-32-0x000000001CD30000-0x000000001CD90000-memory.dmp

Filesize
384KB

Download
memory/344-25-0x000000001BFD0000-0x000000001C076000-memory.dmp

Filesize
664KB

Download
memory/3672-52-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-44-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-47-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-41-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-43-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-36-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-45-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-46-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-48-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-49-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-50-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-51-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3672-39-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing