1b239168451ad131e4f7409fdf14e5d8ca050061702efe92c22059d0e8622154

General

Target

df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
Size

356KB
MD5

df5ad86ef678f16fd543cb24bb8c7568
SHA1

f86ca3a8418dfee2cfc89982191f22f5516e698b
SHA256

1b239168451ad131e4f7409fdf14e5d8ca050061702efe92c22059d0e8622154
SHA512

f142ec1010efa1c814c8fe52b3138eb729c0f2fb656ad2b24f4abe24d72e4bf6c1eeba4b607fd117e280a1a1dc4ff5e3e155440371736612213dec9d58b21888
SSDEEP

6144:7vbx8uzNZVz95q+Em3CwSJ96bd4cPItdHIsx2xPEeGcSUaV:7dzpqBNJ0bd4aI3IQuPFGcSUa

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3204	4nQItbFlf.exe

Executes dropped EXE 2 IoCs

pid	Process
4468	4nQItbFlf.exe
3204	4nQItbFlf.exe

Loads dropped DLL 4 IoCs

pid	Process
1596	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
1596	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
3204	4nQItbFlf.exe
3204	4nQItbFlf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g6NyT9jKhp = "C:\\ProgramData\\yOK4UEvr2qTckZSw\\4nQItbFlf.exe"	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 1596	208	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	95
PID 4468 set thread context of 3204	4468	4nQItbFlf.exe	97
PID 3204 set thread context of 2808	3204	4nQItbFlf.exe	107

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4nQItbFlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4nQItbFlf.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1596	208	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	95
PID 208 wrote to memory of 1596	208	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	95
PID 208 wrote to memory of 1596	208	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	95
PID 208 wrote to memory of 1596	208	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	95
PID 208 wrote to memory of 1596	208	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	95
PID 1596 wrote to memory of 4468	1596	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	96
PID 1596 wrote to memory of 4468	1596	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	96
PID 1596 wrote to memory of 4468	1596	df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe	96
PID 4468 wrote to memory of 3204	4468	4nQItbFlf.exe	97
PID 4468 wrote to memory of 3204	4468	4nQItbFlf.exe	97
PID 4468 wrote to memory of 3204	4468	4nQItbFlf.exe	97
PID 4468 wrote to memory of 3204	4468	4nQItbFlf.exe	97
PID 4468 wrote to memory of 3204	4468	4nQItbFlf.exe	97
PID 3204 wrote to memory of 3660	3204	4nQItbFlf.exe	98
PID 3204 wrote to memory of 3660	3204	4nQItbFlf.exe	98
PID 3204 wrote to memory of 3660	3204	4nQItbFlf.exe	98
PID 3204 wrote to memory of 2808	3204	4nQItbFlf.exe	107
PID 3204 wrote to memory of 2808	3204	4nQItbFlf.exe	107
PID 3204 wrote to memory of 2808	3204	4nQItbFlf.exe	107
PID 3204 wrote to memory of 2808	3204	4nQItbFlf.exe	107
PID 3204 wrote to memory of 2808	3204	4nQItbFlf.exe	107

C:\Users\Admin\AppData\Local\Temp\df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\df5ad86ef678f16fd543cb24bb8c7568_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\ProgramData\yOK4UEvr2qTckZSw\4nQItbFlf.exe
    "C:\ProgramData\yOK4UEvr2qTckZSw\4nQItbFlf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\ProgramData\yOK4UEvr2qTckZSw\4nQItbFlf.exe
      "C:\ProgramData\yOK4UEvr2qTckZSw\4nQItbFlf.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /i:3204
        5⤵
        
        PID:3660
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe" /i:3204
        5⤵
        
        PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yOK4UEvr2qTckZSw\4nQItbFlf.exe

Filesize
356KB

MD5
df5ad86ef678f16fd543cb24bb8c7568

SHA1
f86ca3a8418dfee2cfc89982191f22f5516e698b

SHA256
1b239168451ad131e4f7409fdf14e5d8ca050061702efe92c22059d0e8622154

SHA512
f142ec1010efa1c814c8fe52b3138eb729c0f2fb656ad2b24f4abe24d72e4bf6c1eeba4b607fd117e280a1a1dc4ff5e3e155440371736612213dec9d58b21888

Download Submit
C:\ProgramData\yOK4UEvr2qTckZSw\RCX1F3B.tmp

Filesize
356KB

MD5
44da428efe921534ed74c9b264a72c22

SHA1
94c0d7b6b0901123c6e6d1689d239299c2597b5a

SHA256
e8ad89d592f50346355ad8e23f1f639019b3ab917c4c02cdee497bc233bab592

SHA512
2d6df48c7ed19435a95aadf4b2522d363253fe60da32f5bd415fa55bc6411ed3dc5479c6da2d86dc8eec9c3c45a9ee56ee0ac34413fd7eb4a4ae34a773521de7

Download Submit
memory/208-0-0x0000000075B10000-0x0000000075B11000-memory.dmp

Filesize
4KB

Download
memory/208-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1596-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1596-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1596-5-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/1596-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1596-21-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/1596-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2808-45-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/2808-41-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/3204-37-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/3204-36-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3204-27-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/3204-44-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/3204-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4468-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4468-29-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/4468-22-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads