c13d7d1dca1d22b26403a1a30d2dea359869a60605e1a1f092796fcea77d8069

General

Target

ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
Size

432KB
MD5

ead2793e4c0f27b9cf4bf13be871b335
SHA1

0853073f0b345de18d50c6015b9ecf84939de407
SHA256

c13d7d1dca1d22b26403a1a30d2dea359869a60605e1a1f092796fcea77d8069
SHA512

0d2f1f9c98a44d7f19f9bc41eadc033947559e36c3f58e6721348b92a72565c2626724da228bf447458042ab3d648081625251156af104b30f2df194edc46303
SSDEEP

6144:kudNyolqqHP4uLVtbgYQwkkQBtDuodQ82p4b9s4s6H1JhlhssNTy:kB+qqv9VtMTwkxDDxb9M6Hx7ssE

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4056	Wealth.exe
384	Encoronate0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wealth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Encoronate0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3108	schtasks.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
384	Encoronate0.exe
384	Encoronate0.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
384	Encoronate0.exe
384	Encoronate0.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
4056	Wealth.exe
384	Encoronate0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 3108	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	87
PID 3468 wrote to memory of 3108	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	87
PID 3468 wrote to memory of 3108	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	87
PID 3468 wrote to memory of 3916	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	91
PID 3468 wrote to memory of 3916	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	91
PID 3468 wrote to memory of 3916	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	91
PID 3468 wrote to memory of 4056	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	93
PID 3468 wrote to memory of 4056	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	93
PID 3468 wrote to memory of 4056	3468	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Milieukravene" /TR "C:\Users\Admin\AppData\Roaming\Encoronate0.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3108
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "Milieukravene"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\Wealth.exe
  "C:\Users\Admin\AppData\Local\Temp\Wealth.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4056

C:\Users\Admin\AppData\Roaming\Encoronate0.exe
C:\Users\Admin\AppData\Roaming\Encoronate0.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wealth.exe

Filesize
108KB

MD5
883dc3715b6baef0e334fd9b71ad7dc1

SHA1
60670c8da90a3f7b1846c991d3c37e58d8165c70

SHA256
6ba00445a5c30db7e57de9335d2afc28a63315badef37d97af8b602b9e820aeb

SHA512
7924a5107907a5e0d84f9c08c5a23f8a86368bc26c9c72fdae483b3d67023fec49f98b168cc632b32fa5d21754e142843ad57b332d6b0309b76ec36255fe8933

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos\logs.dat

Filesize
79B

MD5
d9368650be523fdf6aa55789ac91a7ad

SHA1
1bb1266e7b13297e12e194bd52ba569f45d7b903

SHA256
46247ffb47e67619e20e436b4c38cfa86463cbb7687994bcee9dd6d2a4c62b04

SHA512
6213a13447ff4106c4e275147a85f1615a159664bd17e1795aa5f2873e93fa8d677675272bab3372f7a035ad3e4f851f191144186bdff48d270ab618181dd445

Download Submit
C:\Users\Admin\AppData\Roaming\Encoronate0.exe

Filesize
432KB

MD5
e43c9f8320455a0e38f761377ebed70d

SHA1
2ee22adc5532cba00d19df2174e2cfb853b99280

SHA256
8a750132f5ff640bb1c68bf18b131a42c1a2b3e5da5e3c52e81bd12b14474005

SHA512
0cc052164525d9ada03397e96dce4c3682ceef2360731a83c1ae3576e5906546e05e6e12796ac4e2a5d6300af97a900e84626ae25c1f29856e298734062b10c9

Download Submit
memory/3468-2-0x00000000771E1000-0x0000000077301000-memory.dmp

Filesize
1.1MB

Download
memory/3468-12-0x00000000771E1000-0x0000000077301000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads