5bef40ada35f18a826b25404aebebc8143e898411d1db77a61f79efa2c018ad7

General

Target

ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe
Size

166KB
MD5

ead21fb652823bb0861ac73a96b23abb
SHA1

815e706d7b3fb32adf45bf4aa5759ebdef14e3cc
SHA256

5bef40ada35f18a826b25404aebebc8143e898411d1db77a61f79efa2c018ad7
SHA512

003fdb1f95accfda593dddabc5d0ddd342c43d098f9955da4e083d260cf4e100644e2c7c3223c807fc76a3b0869395d599b15baaaa1f4be8957453910d0d0437
SSDEEP

3072:W0A2QfyV2jXJx+SuH7W575zgrUpWNPFNmHC1NFPqoLFTfPJEA/1w/sgWWr8pIOVl:W0Pexo27pgrvFmEHJnSs1wYzpIOV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3220	NewSrv3.exe
2564	iPatch.exe
1424	NewSrv3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 3476	1424	NewSrv3.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iPatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewSrv3.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	NewSrv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	NewSrv3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	NewSrv3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	NewSrv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	NewSrv3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	NewSrv3.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3220	3488	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe	82
PID 3488 wrote to memory of 3220	3488	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe	82
PID 3488 wrote to memory of 3220	3488	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe	82
PID 3488 wrote to memory of 2564	3488	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe	83
PID 3488 wrote to memory of 2564	3488	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe	83
PID 3488 wrote to memory of 2564	3488	ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe	83
PID 3220 wrote to memory of 1424	3220	NewSrv3.exe	84
PID 3220 wrote to memory of 1424	3220	NewSrv3.exe	84
PID 3220 wrote to memory of 1424	3220	NewSrv3.exe	84
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56
PID 1424 wrote to memory of 3476	1424	NewSrv3.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ead21fb652823bb0861ac73a96b23abb_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\NewSrv3.exe
    "C:\Users\Admin\AppData\Local\Temp\NewSrv3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\NewSrv3.exe
      StubPath
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1424
- - C:\Users\Admin\AppData\Local\Temp\iPatch.exe
    "C:\Users\Admin\AppData\Local\Temp\iPatch.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NewSrv3.exe

Filesize
93KB

MD5
3efa7fb495c824e4a95d00cc66430fe8

SHA1
9774c31e329255a48141ff1cc222910c2ee88668

SHA256
c771b008506ae133929d72f5bd69f503de70b02b2e746cd103e00f8850b400ab

SHA512
9fb1ed7e2bd6b2292d2b8ef100bc790a0b0fb462bc2b0087735ba81c1a3fe08af2d503dff4d04835414c0356edeb5db949c57c3595ec389a1af4705bdab153af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPatch.exe

Filesize
69KB

MD5
59ca358d62b768bdbe842e356a8a799c

SHA1
f81e4eb5e4ce5eb2a02c25dba86c35f166eb4b34

SHA256
5d5e85edac16fc502eab12d31903d054aea8132f5f27c38d78d65d7e2aec0c77

SHA512
4335694d074f26b4dc3ec1ec437e442228a10e286150e676f50e088ade18fb74214a2a01af055a2ec913cd141f89ee837220a646818ae184cff608877425a1d7

Download Submit
memory/1424-22-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1424-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2564-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2564-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3220-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3220-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3488-0-0x0000000000400000-0x000000000042B4A1-memory.dmp

Filesize
173KB

Download
memory/3488-19-0x0000000000400000-0x000000000042B4A1-memory.dmp

Filesize
173KB

Download

Analysis

Sharing