9647ba89d49ee73f7d8dc3139204aa59d7722d5c874b78a5fd85d266b78d2beb

General

Target

ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
Size

288KB
MD5

ea70a8b24452eac62f7b62dbefa378cb
SHA1

b3b61ef34eabb70b1411353796f563c0f5a683d5
SHA256

9647ba89d49ee73f7d8dc3139204aa59d7722d5c874b78a5fd85d266b78d2beb
SHA512

2d85fb354c8dd58723527f1a4b61e124acffaa7efc0d2c9a3cef93a7a6099fe921697698625d1955895a8749a364b7aacf1bb375b000e38a93993a842845b92b
SSDEEP

6144:OMEMOBvYSf5Ka5H1yz79jTzahpZpFsMmKAae0dX:OMEMCwo0a+39+nZpFpmKAae0dX

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	tmp1.exe

Executes dropped EXE 4 IoCs

pid	Process
1504	tmp1.exe
3588	tmp2.exe
3780	svchosts.exe
3776	tmp2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU Key = "C:\\Users\\Admin\\AppData\\Roaming\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM Key = "C:\\Users\\Admin\\AppData\\Roaming\\svchosts.exe"	svchosts.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 3776	3588	tmp2.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3776	tmp2.exe
3776	tmp2.exe
3776	tmp2.exe
3776	tmp2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
3588	tmp2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1504	5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	82
PID 5060 wrote to memory of 1504	5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	82
PID 5060 wrote to memory of 1504	5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	82
PID 5060 wrote to memory of 3588	5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	83
PID 5060 wrote to memory of 3588	5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	83
PID 5060 wrote to memory of 3588	5060	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	83
PID 1504 wrote to memory of 3780	1504	tmp1.exe	84
PID 1504 wrote to memory of 3780	1504	tmp1.exe	84
PID 1504 wrote to memory of 3780	1504	tmp1.exe	84
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3588 wrote to memory of 3776	3588	tmp2.exe	85
PID 3776 wrote to memory of 3544	3776	tmp2.exe	56
PID 3776 wrote to memory of 3544	3776	tmp2.exe	56
PID 3776 wrote to memory of 3544	3776	tmp2.exe	56
PID 3776 wrote to memory of 3544	3776	tmp2.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\tmp1.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\svchosts.exe
      "C:\Users\Admin\AppData\Roaming\svchosts.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3780
- - C:\Users\Admin\AppData\Local\Temp\tmp2.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
12KB

MD5
dcc1198b6e043b8a1da246332ba5e6b5

SHA1
9ef5b5d4316b00f74bb4c48e8fe3dad7711b7a00

SHA256
5ef09f8720ae997228e778d4d30101a439164cdf5e5ca5892011e2d4b1a4486f

SHA512
a5e954b5d54ecf712103c32eb98087584bf8cea63bed8096f62d745e793a43560b3b95f32cc46fcfe8f2a56f308cef1ec58360b049c8c2ee5c38112a3a512e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
220KB

MD5
ab094c547f106567f5557d800afc3a1e

SHA1
19ff82b880230e64edf734847d07cfe48cb756e8

SHA256
ef85121ad77820e587e095431186f51edd5cdaddb1e757bf87f123ceec365d0b

SHA512
60d4d2d4e426cbe13977973c82d22fdd536e5675329c21af17403e9ed64de936bbea270157c81f812fb6baa720836d8802e830d763efe0860932ac189c4c4295

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3.exe

Filesize
14B

MD5
ee92da2012853a32c42920266a5f81c6

SHA1
5a35403a9ce6b35993ff2a68225089d1d5620869

SHA256
abc83e4e775e1f5f87189947f756d259e6f40cae3c2c374a037bb065797ece8a

SHA512
2571171e69ea02b3cfacb84082be2a40ead1afdb103feec2bacc2cf2025c6988ed90bf92460fb690bbd710a659b5da65f182232139350b01571b6f934a7387b3

Download Submit
memory/1504-18-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3544-52-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3544-51-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3588-27-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3588-31-0x0000000000401000-0x00000000004A5000-memory.dmp

Filesize
656KB

Download
memory/3588-50-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3776-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3776-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3776-48-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3776-55-0x0000000000490000-0x0000000000559000-memory.dmp

Filesize
804KB

Download
memory/3780-42-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads