348ed02a9d00847bed951010c7af7cb9e0fdb41fcddb779e7e760cc251e346a2

General

Target

df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe
Size

1.8MB
MD5

df12f62ba1ae1cf9a624572dc3f8f10d
SHA1

b80f622e76ba090a10c8bb7438877003acb249e0
SHA256

348ed02a9d00847bed951010c7af7cb9e0fdb41fcddb779e7e760cc251e346a2
SHA512

ff6205052c0d9a49ec361742982f6d50f22dce42549f289ec4241ee54cff80f043cd6091cd07c6ed5cff5e708f26692621eedc9c17c5fd2e607e2970e730b088
SSDEEP

49152:uUy4m9mg9uJBMODTSVBGxYWWiwHIeGg4r05iPr0kfYhlOd:u5RAwuJpTSVIYWWiwH9Gg4r05iPdmOd

Score

7^/10

discovery themida

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1248	F42.exe
5068	F42.exe
2496	S42.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x00070000000234da-19.dat	themida

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AJ.Settings	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AJ.Settings	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S42.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1248	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	83
PID 3712 wrote to memory of 1248	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	83
PID 3712 wrote to memory of 1248	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	83
PID 3712 wrote to memory of 5068	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	87
PID 3712 wrote to memory of 5068	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	87
PID 3712 wrote to memory of 5068	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	87
PID 3712 wrote to memory of 2496	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	95
PID 3712 wrote to memory of 2496	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	95
PID 3712 wrote to memory of 2496	3712	df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df12f62ba1ae1cf9a624572dc3f8f10d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712
- C:\F42.exe
  C:\F42.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\F42.exe
  "C:\F42.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\S42.exe
  "C:\S42.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\F42.exe

Filesize
444KB

MD5
9bb6826905965c13be1c84cc0ff83f42

SHA1
ae7734e7a54353ab13ecba780ed62344332fbc6f

SHA256
cfa4f56807405fd36e406688feb970a0d0d4854456ba2da72e4a33a27b01d9ae

SHA512
09b5f6be1f638948854a4e332b9c0f74c8583db23c0d3d905c1467a5daaf571a57a04b0e91867b4a8984cb43b19df7fc41dc182841db9dc637389e135cfd211f

Download Submit
C:\S42.exe

Filesize
1.3MB

MD5
e60536d53c253b4997724b8631bf6067

SHA1
de1676d289cefa000d07c4fae42f84a6073d7a68

SHA256
79ada8911ea92c0f9d0cb019f749802302daee489531f4fbeff364fa82be2112

SHA512
b58d72fbc5b4980fecc9610a16cfd56ce2ec2879ed31002aad9e7bb5ddcb245e787bd75fdf1fa3a71e665f117e5413c3504a5cb5ee18d4beef2a803cf992003c

Download Submit
C:\Windows\SysWOW64\AJ.Settings

Filesize
1.8MB

MD5
df12f62ba1ae1cf9a624572dc3f8f10d

SHA1
b80f622e76ba090a10c8bb7438877003acb249e0

SHA256
348ed02a9d00847bed951010c7af7cb9e0fdb41fcddb779e7e760cc251e346a2

SHA512
ff6205052c0d9a49ec361742982f6d50f22dce42549f289ec4241ee54cff80f043cd6091cd07c6ed5cff5e708f26692621eedc9c17c5fd2e607e2970e730b088

Download Submit
memory/3712-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3712-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing