c22279b381ab4fe6d423b9912e251e0cb17197b32d279b35d71925886fd793ad

General

Target

dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe
Size

2.4MB
MD5

dace0deab0b9b408694e6e88517397c4
SHA1

fd683dc4bed73009a701df0a0d07733401fbd282
SHA256

c22279b381ab4fe6d423b9912e251e0cb17197b32d279b35d71925886fd793ad
SHA512

8b036b5d7499655261cd8f6e0853098d5e20cfbb08d51838e9006c6cf162e8150ea39fe8f49986e0abcd437728b84095c198c38795d6cdf316b7e749cfc238d3
SSDEEP

49152:rQRc8TIz0JbgVL0eGIfQa5XXB9Lp2rgrPjEWNBrCaEXIPn:8RcM2L07ID5XLUr27pNB+Xa

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winzip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winzip.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	winzip.exe
3272	winzip.exe

Loads dropped DLL 4 IoCs

pid	Process
60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe
60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe
60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe
60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3080	3272	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winzip.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 2392	60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe	86
PID 60 wrote to memory of 2392	60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe	86
PID 60 wrote to memory of 2392	60	dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe	86
PID 2392 wrote to memory of 3272	2392	winzip.exe	87
PID 2392 wrote to memory of 3272	2392	winzip.exe	87
PID 2392 wrote to memory of 3272	2392	winzip.exe	87
PID 2392 wrote to memory of 3272	2392	winzip.exe	87
PID 2392 wrote to memory of 3272	2392	winzip.exe	87

C:\Users\Admin\AppData\Local\Temp\dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dace0deab0b9b408694e6e88517397c4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Roaming\winxarj\winzip.exe
  "C:\Users\Admin\AppData\Roaming\winxarj\winzip.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Roaming\winxarj\winzip.exe
    "C:\Users\Admin\AppData\Roaming\winxarj\winzip.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1036
      4⤵
      Program crash
      PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3272 -ip 3272
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl8927.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8927.tmp\mmm.dll

Filesize
7KB

MD5
323a34a899ac07858724a9d6bd98845a

SHA1
6157e087b0725a0aa0999baf993f7c5bee82ac06

SHA256
dfb7b7e988368767d663ffbabd5e3d7fc054934237f60c71fc7530fd22e7e7be

SHA512
a73754faaeb3628a8dfe6aa742306551040a2209117c491a4c3f87893b224a81a1227843598c5c3486f38e9c77a1a8e178615922b822c03956d317d150fe2fae

Download Submit
C:\Users\Admin\AppData\Roaming\winxarj\winzip.exe

Filesize
1.1MB

MD5
05c407693cad194804449dc6475eeec7

SHA1
5f06673d91ab78f03052a72ca11459943965bcbf

SHA256
c9f9d1b4af6cde040159cee584832010e62f5677c3a2bd4384f9fea5734d0acf

SHA512
d260b4cbd7207f4ba4917a882057671789d82a050caa9353d6728d5187a67fa4b09e25f19d540d738cd56889aaf8b5349cd1be27d9912c1b15e2a45c2a4988fd

Download Submit
memory/2392-79-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2392-96-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3272-91-0x0000000002220000-0x0000000002325000-memory.dmp

Filesize
1.0MB

Download
memory/3272-85-0x0000000002220000-0x0000000002325000-memory.dmp

Filesize
1.0MB

Download
memory/3272-92-0x00007FFE16790000-0x00007FFE16985000-memory.dmp

Filesize
2.0MB

Download
memory/3272-94-0x0000000002220000-0x0000000002325000-memory.dmp

Filesize
1.0MB

Download
memory/3272-95-0x0000000002220000-0x0000000002325000-memory.dmp

Filesize
1.0MB

Download
memory/3272-84-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3272-98-0x00007FFE16790000-0x00007FFE16985000-memory.dmp

Filesize
2.0MB

Download
memory/3272-97-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads