72a09796fe2f6eed5156c3e68658b850115f2a2cc8337f3afe0ac5e5359509ac

General

Target

dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
Size

44KB
MD5

dc92951f97de7e402ef9b92ae0fcdfc7
SHA1

a141718b4b5930c57a93646a65d090cb3062ed58
SHA256

72a09796fe2f6eed5156c3e68658b850115f2a2cc8337f3afe0ac5e5359509ac
SHA512

74eda18e7015bef0d789f75f6c726bb3eff218213e17b9237db8023284f8d06ca89a4e9fc2e924905c28fdeea0fbb6a71750c956d83f88e22cba9705e9a3759b
SSDEEP

384:0cva0CApzYL31jwcKyV/1yoBf1+LLP2I33smBs:HfrpsLlDV/1yet+LLL3TB

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	myInsDll.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	myInsDll.exe

Loads dropped DLL 2 IoCs

pid	Process
4832	myInsDll.exe
4832	myInsDll.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4768-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/files/0x000800000002341f-15.dat	upx
behavioral2/memory/4832-18-0x0000000010000000-0x00000000100FF000-memory.dmp	upx
behavioral2/memory/4768-19-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4832-24-0x0000000010000000-0x00000000100FF000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	myInsDll.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jmanszb.dat	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Processc.dll	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\myInsDll.exe	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\myInsDll.exe	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc32.dll	myInsDll.exe
File opened for modification	C:\Windows\SysWOW64\sfc32.dll	myInsDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5004	4832	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myInsDll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4832	4768	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe	86
PID 4768 wrote to memory of 4832	4768	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe	86
PID 4768 wrote to memory of 4832	4768	dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe	86
PID 4832 wrote to memory of 2292	4832	myInsDll.exe	87
PID 4832 wrote to memory of 2292	4832	myInsDll.exe	87
PID 4832 wrote to memory of 2292	4832	myInsDll.exe	87

C:\Users\Admin\AppData\Local\Temp\dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\myInsDll.exe
  "C:\Windows\System32\myInsDll.exe" Processc.dll,myIns C:\Users\Admin\AppData\Local\Temp\dc92951f97de7e402ef9b92ae0fcdfc7_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\sfc.exe
    "C:\Windows\system32\sfc.exe" /REVERT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1100
    3⤵
    - Program crash
    PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4832 -ip 4832
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Processc.dll

Filesize
11KB

MD5
ef33b408bd82640fa439469fb1243126

SHA1
b15d1efc8fdda6312eb698d02943c55cc4b02902

SHA256
95669d70c4f733f942060a633fa5215c2c4267102605fb4bc723dde821231c07

SHA512
86da5df5e00150c13b22b3453a6db4fef0e95a617019a6b56115504ece97fef329597e1f28b241ce9ec22b637a0cecd7d09c316218468bdabe51fd3100eac7c0

Download Submit
C:\Windows\SysWOW64\myInsDll.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\sfc32.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
memory/4768-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4768-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4832-18-0x0000000010000000-0x00000000100FF000-memory.dmp

Filesize
1020KB

Download
memory/4832-24-0x0000000010000000-0x00000000100FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads