4018cd619bcad11e55bace3e007f5a6a437ebe6f1abf9ee558c437bd1bba26c9

General

Target

d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe
Size

404KB
MD5

d5a639c3741727cd632dedeaee9c4cec
SHA1

fadeccd37072d6656b1f33aaf20b72098327fa62
SHA256

4018cd619bcad11e55bace3e007f5a6a437ebe6f1abf9ee558c437bd1bba26c9
SHA512

acabc9fd7655f52f647099e631bd00622c6312f4ed6e7f611fd0f7513c2bdcaf6de86600cb38cea1091650748a982fcbbbd8a298d765f0b3c7c9d46978c70035
SSDEEP

6144:Jl1/a938tB95iZ9lirx+0Sot3Bh4C53QXxX+/B7xce9Zu2r:l/aStB9gZzir5RH4C534MceDu2r

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1816	Advanced JPEG Compressor v5.0 [Serial].exe
2188	7za.exe
1228	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Advanced JPEG Compressor v5.0 [Serial].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1816	Advanced JPEG Compressor v5.0 [Serial].exe
1816	Advanced JPEG Compressor v5.0 [Serial].exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1816	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	85
PID 2664 wrote to memory of 1816	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	85
PID 2664 wrote to memory of 1816	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	85
PID 2664 wrote to memory of 2188	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	87
PID 2664 wrote to memory of 2188	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	87
PID 2664 wrote to memory of 2188	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	87
PID 2664 wrote to memory of 1228	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	89
PID 2664 wrote to memory of 1228	2664	d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5a639c3741727cd632dedeaee9c4cec_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\Advanced JPEG Compressor v5.0 [Serial].exe
  "C:\Users\Admin\AppData\Local\Temp\Advanced JPEG Compressor v5.0 [Serial].exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advanced JPEG Compressor v5.0 [Serial].exe

Filesize
162KB

MD5
e578fc985ace6549578f31bb6e35bf56

SHA1
d316e62fc973dd56c3c7993b2d9d81f86888d56e

SHA256
84aedeb62b4744644d02e629e2775b63263a7896942a0a5546944e85409e91e7

SHA512
1aab92ab235689873688c6e60e0d3811acedd5fb870264ccfaf995d051ed3afdd9161a1d3f98b72ad1a40ac9eaea0d1e8d91d8b819fffd982e3f8c70be1f9f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
fe1a3c6046eaa4de86b2f37d5d5d9fec

SHA1
254d7411106436e9c583b21fb3aabd11665b4ad2

SHA256
760db114cd6711fd8c5df7f0ddc7e0b641c8c585dbe199b4a316e726ed390c11

SHA512
1ad719b52a294441c101e1d40babc8dd4ea0d39286d93d3047d024a1590f8e48ccff556bea5469eb1713294b04760ee656f627d4876a9cdf657eadf87a00b0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5D.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/1228-30-0x000000001BEE0000-0x000000001C3AE000-memory.dmp

Filesize
4.8MB

Download
memory/1228-28-0x000000001B960000-0x000000001BA06000-memory.dmp

Filesize
664KB

Download
memory/1228-29-0x00007FFC5D040000-0x00007FFC5D9E1000-memory.dmp

Filesize
9.6MB

Download
memory/1228-27-0x00007FFC5D2F5000-0x00007FFC5D2F6000-memory.dmp

Filesize
4KB

Download
memory/1228-31-0x00007FFC5D040000-0x00007FFC5D9E1000-memory.dmp

Filesize
9.6MB

Download
memory/1228-32-0x000000001C450000-0x000000001C4EC000-memory.dmp

Filesize
624KB

Download
memory/1228-33-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/1228-34-0x000000001C6B0000-0x000000001C6FC000-memory.dmp

Filesize
304KB

Download
memory/1228-35-0x000000001C760000-0x000000001C7C0000-memory.dmp

Filesize
384KB

Download
memory/1228-39-0x00007FFC5D2F5000-0x00007FFC5D2F6000-memory.dmp

Filesize
4KB

Download
memory/1228-40-0x00007FFC5D040000-0x00007FFC5D9E1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing