0caccf6c29f5d450cf512b57349874e056d0225e39ff724f461753494ef73e08

General

Target

d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe
Size

677KB
MD5

d98f5f5006f27087a853301c7141fc48
SHA1

6044c865a6a1328a799398da1455ffb5b10476da
SHA256

0caccf6c29f5d450cf512b57349874e056d0225e39ff724f461753494ef73e08
SHA512

9441ec3bd7ceb75ae6a0fa44f3c4c7bda3913368fe938d190e9f1649087c61e7ffe738c143e903c84cb8abb5ecd18ccbda5276a6c56212954263928b07ab2de0
SSDEEP

12288:VinPEoH6fh/RE8MyAsfYER+DYLOUhYUGwQZQd8+UrdFplP3Jf+A5ahnwMqg8pHC:VLlh/RxMBsb+AOxUmed8+8Df+AInxcC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3640	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3640	POWERPNT.EXE
3640	POWERPNT.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3640	4988	d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe	83
PID 4988 wrote to memory of 3640	4988	d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe	83
PID 4988 wrote to memory of 3640	4988	d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d98f5f5006f27087a853301c7141fc48_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\GIRL.PPS" /ou ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GIRL.PPS

Filesize
621KB

MD5
b133618ea3d2b29e0c5f00fe16ca02e2

SHA1
7d2051b2f65460d0c2fdee26aea6ed23a957d40d

SHA256
d94f6cab9cdc764edabe5a25c56be8d3b05d6e74a6179b4e454a9ddc0e20efd5

SHA512
e6de88d7362a9de0715dcfb3883d7e6ce220d9b188e023b9a37dbdd8728c55001491f69b882576bc18bdb210042fb86494967cbdb72ea2b9f31eacbea9ea6c04

Download Submit
memory/3640-14-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-53-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-16-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-6-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-7-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-9-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-8-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-10-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-12-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-11-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-13-0x00007FFC856A0000-0x00007FFC856B0000-memory.dmp

Filesize
64KB

Download
memory/3640-15-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-4-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-5-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-2-0x00007FFCC7C0D000-0x00007FFCC7C0E000-memory.dmp

Filesize
4KB

Download
memory/3640-19-0x00007FFC856A0000-0x00007FFC856B0000-memory.dmp

Filesize
64KB

Download
memory/3640-18-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-22-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-21-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-20-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-23-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-17-0x00007FFCC7B70000-0x00007FFCC7D65000-memory.dmp

Filesize
2.0MB

Download
memory/3640-49-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-51-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-50-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-52-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download
memory/3640-3-0x00007FFC87BF0000-0x00007FFC87C00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads