d33ed7deb25c5d70dc1c671150757f9962e7ea0c0d8cd4718d9624744ad152d1

General

Target

d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe
Size

578KB
MD5

d5c3e29f72c48d899aa0e62f977e9e0e
SHA1

565b9521593626504b7cdcab0198e783bb7b2f29
SHA256

d33ed7deb25c5d70dc1c671150757f9962e7ea0c0d8cd4718d9624744ad152d1
SHA512

5a966dd453de2e08471e8beaa40c4aee3cb863438f501adfff00665262161b55892dc1fd44b35ca041577c27f9c998921291e346ea4b452ea58fdda500693c9d
SSDEEP

12288:wybTTmbwee2+0e34u/F+Z3zSt1pHmfLnmxuUPtQP9bZzGZEfU:wybTqbv1+0e3B+pzSpGfLnmU+W/GV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	Ins8CEE.tmpinstall.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4680	MSIEXEC.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ins8CEE.tmpinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4680	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4680	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4680	MSIEXEC.EXE
4680	MSIEXEC.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	Ins8CEE.tmpinstall.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1728	4880	d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe	87
PID 4880 wrote to memory of 1728	4880	d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe	87
PID 4880 wrote to memory of 1728	4880	d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe	87
PID 1728 wrote to memory of 4680	1728	Ins8CEE.tmpinstall.exe	93
PID 1728 wrote to memory of 4680	1728	Ins8CEE.tmpinstall.exe	93
PID 1728 wrote to memory of 4680	1728	Ins8CEE.tmpinstall.exe	93

C:\Users\Admin\AppData\Local\Temp\d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5c3e29f72c48d899aa0e62f977e9e0e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\Ins8CEE.tmpinstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Ins8CEE.tmpinstall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/slotsgardencasino/Party City Casino20150410011841.msi" DDC_DID=1698548 DDC_DOWNLOAD_AFFID=1888 DDC_UPDATESTATUSURL=http://190.4.94.34:8080/betroyal/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.34:8080/betroyal/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=trackingID CUSTOMVALUE02=PTC8b813086c526b222bbec35cc46118577 SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins8CEE.tmpinstall.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ins8CEE.tmpinstall.exe

Filesize
1.2MB

MD5
b44b67f35346a91496371730c6fae037

SHA1
872ef305bf1953b56bbdcc2f00e8a876f9e9436c

SHA256
eba1c1bd2fcd548f67445fce3088a02dab33adb1b210908533e661adec05e02b

SHA512
d60a8c9af16ac34c31329a27dad2821aba140b0944019d9cb93c048486e80ca7b0f0565cea565f84c160e85c438782e5170a40218dae1f592d34e14d97836592

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is9148.tmp

Filesize
1KB

MD5
ca45cd77b1a6ba391e619405ffe1c811

SHA1
d57d04db663cec9a489cad7d8b84bd488c77df7f

SHA256
7cc48ca29c13507bd51a16b56e8d4f17cd8ab3a5fa0f7f27ea6059bc8e8795d4

SHA512
3431cdbcb4c8f75d5df1d8a2e796cce32583a4afa50b1e8ecc573bee5a02517c97c9b0967d17b1289c306fc7bd1892be82b9aaedb92af9d096dfd26d4c022454

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C3A75F4C-CB58-4DBF-B1A8-1DEDA1897342}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C3A75F4C-CB58-4DBF-B1A8-1DEDA1897342}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9145.tmp

Filesize
5KB

MD5
1df50cd377d0d57b2c7a2ea153d33376

SHA1
063eee1a833c67bcf0985d58510c3ad2f867da8e

SHA256
1a8549ec1c312009b99bd82cd5ba1d6aaac2aed38f4da7e074bd1478d062fee9

SHA512
cc7c3dccc8887632361f8b0c3a7da64660a482ca205acf875b9f9ac8724ddc4b67ecd9f53b3c63c3cac818e0c81ce45c77c63cd3c4a3dafac97b0a67793505e7

Download Submit

Analysis

Sharing