835315b4c0b0f6f2086e1304167bc6d60ef05312bd2ac41591ab58baeaa6e5eb

General

Target

eac050822db1aa99525c558710a10890_JaffaCakes118.exe
Size

292KB
MD5

eac050822db1aa99525c558710a10890
SHA1

f6acbf828316d9715e2f1d6326107bef3608c3da
SHA256

835315b4c0b0f6f2086e1304167bc6d60ef05312bd2ac41591ab58baeaa6e5eb
SHA512

16f7f93a38fe49e46dea4113502c8378a15f6dc03a58d3036f110e681be6f3a27e2e409e9c28488c93ee20fe22ec8128f5d3f98ed8956e1b93c57218a18ca59e
SSDEEP

6144:/bXE9OiTGfhEClq9lPAav5NR1vopNPagyaSl/I6tV/:jU9XiuiOBV0hSxL

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	eac050822db1aa99525c558710a10890_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	i144.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ololo\3t.jpg	eac050822db1aa99525c558710a10890_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\i144.exe	eac050822db1aa99525c558710a10890_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\test5.bat	eac050822db1aa99525c558710a10890_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\p.txt	eac050822db1aa99525c558710a10890_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\3t.jpg	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac050822db1aa99525c558710a10890_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	eac050822db1aa99525c558710a10890_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3140	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1564	mspaint.exe
1564	mspaint.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1564	mspaint.exe
3508	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1564	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	82
PID 1844 wrote to memory of 1564	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	82
PID 1844 wrote to memory of 1564	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	82
PID 1844 wrote to memory of 1172	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	83
PID 1844 wrote to memory of 1172	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	83
PID 1844 wrote to memory of 1172	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	83
PID 1844 wrote to memory of 3100	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	85
PID 1844 wrote to memory of 3100	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	85
PID 1844 wrote to memory of 3100	1844	eac050822db1aa99525c558710a10890_JaffaCakes118.exe	85
PID 1172 wrote to memory of 3140	1172	cmd.exe	89
PID 1172 wrote to memory of 3140	1172	cmd.exe	89
PID 1172 wrote to memory of 3140	1172	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\eac050822db1aa99525c558710a10890_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac050822db1aa99525c558710a10890_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\ololo\3t.jpg" /ForceBootstrapPaint3D
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ololo\test5.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\regedit.exe
    regedit -s snapshot.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:3140
- C:\Program Files (x86)\ololo\i144.exe
  "C:\Program Files (x86)\ololo\i144.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ololo\3t.jpg

Filesize
72KB

MD5
8a2afe805d180f87121533fa07e7fa93

SHA1
95c9f46aab77859ec575aa1aea22c9c5be7278ae

SHA256
aaadbbd06877a7f67129bcbd6f7d1e71f93690a541d5b291cd2e0bcb8b45f048

SHA512
ee47100de3bcf43e74d8c54d511d63a8195b2e2bf46e8f27e6bc9f6af6753f753e594f77baaedec5f79289d003b6794be7ddd7e6fe019fd9045fc6b1952a0c73

Download Submit
C:\Program Files (x86)\ololo\i144.exe

Filesize
149KB

MD5
a6c35a1d588ba6e856203f63f4bf957f

SHA1
ad68bc2bcde52b0b06ad27dc8fe91608b715d8f2

SHA256
6aca9bae324d234fb3f9a293035c0a7f9f357553068fd5333662205228f724bf

SHA512
881788889c1b000a897cd5b7e890c434e5b423244abff9d3c5a7cd2a9f9205d6f0814ca408563e413214cbf9bddd978024daea86a29255609f3b74e16db25623

Download Submit
C:\Program Files (x86)\ololo\p.txt

Filesize
4B

MD5
2f2c42d6bed9cbfed344c08ddd28a554

SHA1
c2e366cb09097d46de6695665b647aec6e00437e

SHA256
63512f53cc19a54417c287b6dd08939ae77a9301034614782e28ce9e924a9769

SHA512
4445d27f501773944239f72f4f5907b1e7c28e3c4a8324d645f739bbb06ba730269eb60dd5540743343146f926711d169a018ca6204e8736ebe7739757338fe3

Download Submit
C:\Program Files (x86)\ololo\test5.bat

Filesize
34KB

MD5
4198fbd64294b2f0f5b7770715caeb5d

SHA1
92d7584a042c9a59bdd43aee593250a803c0e6db

SHA256
9b12133b28204540cef563d0e8cf20a6a8ebb2e3d91991584ecca2616fc71598

SHA512
693791bdc12c3542cd726c4edeb6330f12e4ba1a7eac7f8980d5e356df4de00561a17fd8dd7dfe75879a54723941f6c3e2cfb7325f3661046fb912d7851b3174

Download Submit
memory/1844-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3100-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4912-36-0x0000023244760000-0x0000023244770000-memory.dmp

Filesize
64KB

Download
memory/4912-47-0x000002324D2F0000-0x000002324D2F1000-memory.dmp

Filesize
4KB

Download
memory/4912-49-0x000002324D370000-0x000002324D371000-memory.dmp

Filesize
4KB

Download
memory/4912-51-0x000002324D370000-0x000002324D371000-memory.dmp

Filesize
4KB

Download
memory/4912-52-0x000002324D400000-0x000002324D401000-memory.dmp

Filesize
4KB

Download
memory/4912-53-0x000002324D400000-0x000002324D401000-memory.dmp

Filesize
4KB

Download
memory/4912-54-0x000002324D410000-0x000002324D411000-memory.dmp

Filesize
4KB

Download
memory/4912-55-0x000002324D410000-0x000002324D411000-memory.dmp

Filesize
4KB

Download
memory/4912-40-0x00000232447A0000-0x00000232447B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing