5a03f2a56ef606dac1f760d3ce6911d96bc60f4a18a502b3f808af3ad4596418

General

Target

ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
Size

338KB
MD5

ead240801955f8d3262d47e6755eebcd
SHA1

de873835cd62efe5eccca4aabb15f73fce9210b2
SHA256

5a03f2a56ef606dac1f760d3ce6911d96bc60f4a18a502b3f808af3ad4596418
SHA512

cfe33dd8824b48b12d005458edfe351a713493d1d8d0e9129644a39c78bab915309b27419f4219f196e0641d7bb88bee0c879c2e77ee130c7f2f27498954263d
SSDEEP

6144:JbXE9OiTGfhEClq9sV3f8jD6+MRZPvgnxg/X7QtC2iju1uZY:xU9XiuibkjGbXKg/7QRijw

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\test5.bat	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	i1.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ololo\p.txt	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt.jpg	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\i1.exe	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	4948	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	mspaint.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1248	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	mspaint.exe
4996	mspaint.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4996	mspaint.exe
4548	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 4996	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	87
PID 228 wrote to memory of 4996	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	87
PID 228 wrote to memory of 4996	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	87
PID 228 wrote to memory of 2680	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	88
PID 228 wrote to memory of 2680	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	88
PID 228 wrote to memory of 2680	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	88
PID 228 wrote to memory of 4948	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	90
PID 228 wrote to memory of 4948	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	90
PID 228 wrote to memory of 4948	228	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	90
PID 2680 wrote to memory of 1248	2680	cmd.exe	98
PID 2680 wrote to memory of 1248	2680	cmd.exe	98
PID 2680 wrote to memory of 1248	2680	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\ololo\ku4uqt.jpg" /ForceBootstrapPaint3D
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\drivers\etc\test5.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\regedit.exe
    regedit -s snapshot.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:1248
- C:\Program Files (x86)\ololo\i1.exe
  "C:\Program Files (x86)\ololo\i1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 680
    3⤵
    - Program crash
    PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4948 -ip 4948
1⤵
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ololo\i1.exe

Filesize
254KB

MD5
51068d506df3f6b8a3767759909e6d3d

SHA1
5b96fd7c31e7a513b52cc9aa1daf18839d429ec8

SHA256
cf4e9106bc5bff90d472ef3f0e108d111900f59cc17134946dbef3fb30e828b9

SHA512
5587e9e7e3a49a5aa09e7cd513a3fcfa44209fb1ecb2944833d5dacb7a3c4eebc1d82c8d2553508ef97e2b940b4181578d1acbe70a1ef606ad16afb7e4fc8527

Download Submit
C:\Program Files (x86)\ololo\ku4uqt.jpg

Filesize
32KB

MD5
ee7d95487327fd9d4df0f9f93b3b4e51

SHA1
3fda7c506a19eab14da7bbe151522756b47c2e00

SHA256
65f7d0b00e94ac3831e760e32ebca49e97d39de7ed964f632ab13603c93962aa

SHA512
8aad558a54be3440b486760beb5f860b741dff42d43dc235bf6b45e1f17582037f3af7cbe6e3c9e240ae4fd4eb7d55995629e319fe8c54cc024a31da0378d5d8

Download Submit
C:\Program Files (x86)\ololo\p.txt

Filesize
2B

MD5
6512bd43d9caa6e02c990b0a82652dca

SHA1
17ba0791499db908433b80f37c5fbc89b870084b

SHA256
4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8

SHA512
74a49c698dbd3c12e36b0b287447d833f74f3937ff132ebff7054baa18623c35a705bb18b82e2ac0384b5127db97016e63609f712bc90e3506cfbea97599f46f

Download Submit
C:\Windows\System32\drivers\etc\test5.bat

Filesize
24KB

MD5
62f9d341647e32cb5af21a6fd36fc668

SHA1
8be014ce5a03d4c575a920c97e9df1b98fbfecc7

SHA256
dad3836bb050f520806aa8ac3bb626f5efce1bf209652234597beac1ca0b3710

SHA512
795dd8cec0c37a7bf9985b460edcc862494d3bae38d8698c55c5518fd7dfe3f6cdd510bda96ef3d2df1aa8416404e5f866e04db6e9cfe3becae2e0238f646943

Download Submit
memory/228-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-36-0x000001D286BA0000-0x000001D286BB0000-memory.dmp

Filesize
64KB

Download
memory/1316-40-0x000001D287620000-0x000001D287630000-memory.dmp

Filesize
64KB

Download
memory/1316-49-0x000001D28F7B0000-0x000001D28F7B1000-memory.dmp

Filesize
4KB

Download
memory/1316-47-0x000001D28F730000-0x000001D28F731000-memory.dmp

Filesize
4KB

Download
memory/1316-51-0x000001D28F7B0000-0x000001D28F7B1000-memory.dmp

Filesize
4KB

Download
memory/1316-53-0x000001D28F840000-0x000001D28F841000-memory.dmp

Filesize
4KB

Download
memory/1316-52-0x000001D28F840000-0x000001D28F841000-memory.dmp

Filesize
4KB

Download
memory/1316-54-0x000001D28F850000-0x000001D28F851000-memory.dmp

Filesize
4KB

Download
memory/1316-55-0x000001D28F850000-0x000001D28F851000-memory.dmp

Filesize
4KB

Download
memory/4948-58-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing