9399ffc9d442614d48abd29418d5872405a3a19ac77b9646cf39bf44bb0b0483

General

Target

eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe
Size

1.5MB
MD5

eac08db3fa1c18e939aba316744b3aeb
SHA1

262dd8ad27f510a2a53fdb7e5f8915a82bd108d1
SHA256

9399ffc9d442614d48abd29418d5872405a3a19ac77b9646cf39bf44bb0b0483
SHA512

aac17f8de6f35b740b4bf6d18f55fb2c5f399ff6d902db1fef6c3ce9ce0abb2eb3b21eee85fea537c6fce40fbfaa311edef4d34d722d084aedf2b88acec063de
SSDEEP

24576:s6QJy1KWYl+CyvvgkOYoNWcMTsUEb2UMNKElXS4cWquWmWzeysLWJo:9Dt9OYoNkTsrL4cWquWmWzevCJo

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	usnscv.exe

Executes dropped EXE 1 IoCs

pid	Process
3384	usnscv.exe

Loads dropped DLL 2 IoCs

pid	Process
3384	usnscv.exe
3384	usnscv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4004	3384	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usnscv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3868	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3384	usnscv.exe
3384	usnscv.exe
3384	usnscv.exe
3384	usnscv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3384	usnscv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3384	3124	eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe	89
PID 3124 wrote to memory of 3384	3124	eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe	89
PID 3124 wrote to memory of 3384	3124	eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe	89
PID 3384 wrote to memory of 4892	3384	usnscv.exe	90
PID 3384 wrote to memory of 4892	3384	usnscv.exe	90
PID 3384 wrote to memory of 4892	3384	usnscv.exe	90
PID 4892 wrote to memory of 3524	4892	cmd.exe	92
PID 4892 wrote to memory of 3524	4892	cmd.exe	92
PID 4892 wrote to memory of 3524	4892	cmd.exe	92
PID 3524 wrote to memory of 3868	3524	cmd.exe	93
PID 3524 wrote to memory of 3868	3524	cmd.exe	93
PID 3524 wrote to memory of 3868	3524	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac08db3fa1c18e939aba316744b3aeb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1376
    3⤵
    - Program crash
    PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3384 -ip 3384
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
148B

MD5
6f893fa27049e87617787e4964ad5ecb

SHA1
2efa3418e797e4d5ced66044eff405cb2f93060c

SHA256
a9912cc06ab8465ecbf27c5b6887ba94421e213d1fff1467ee1d8f20a72f0b60

SHA512
08188fd11947612212701c3fffc253bb69530091115cf6c59650ed70851a8b56b5508cf458df9e742956144be1b3738560a33871a4be782798a63f04b7dae57f

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
371KB

MD5
261f8f41c5ebde7d803a9f5b54a0a31d

SHA1
562b4a28bb63bc1f5fb3e1929542b401613a71c2

SHA256
9c4babe2ac629a565f9a6ed31ca9a93b2e764dc5449ecb5b54a05ff154e6a222

SHA512
ae3a87d6560c3b9e905b4e76d0c97407fd49dc700ddb2090963e7f51eb6a0cd16a9fa13464425400994d7589334cf0d61d2e06c9a65491bd180f9f8543d28058

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
676KB

MD5
04eaeafbb8694b0ebcbfde1aa57a94f7

SHA1
31efde2ba3e1e6f9e2260fa06ed5947a088b6579

SHA256
de96b38a3e13383e2e9300d03a69706750c170e3bcb8ede863266b4683e58fb5

SHA512
3345fa02ee2708d766718cc9b56c93b2096c516e9ea647533379e2f4a54e5ca0ac1bce2348659fe03bcd0d954300fd42acc2ed36ee4f61579839059dbad9a9c7

Download Submit
memory/3124-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3124-14-0x0000000004000000-0x000000000417C000-memory.dmp

Filesize
1.5MB

Download
memory/3384-13-0x0000000000A50000-0x0000000000AB2000-memory.dmp

Filesize
392KB

Download
memory/3384-16-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3384-21-0x0000000000A50000-0x0000000000AB2000-memory.dmp

Filesize
392KB

Download
memory/3384-20-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3384-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3384-25-0x0000000000A50000-0x0000000000AB2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads