012d2e1d126cd6d286170042142cb55669cb4d1109c1f2c00bc9902822a105ef

General

Target

ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Size

323KB
MD5

ee87b1f331162ae2c1a81d063431e18c
SHA1

d635e6ec5992d046518807f26048495edb8796c5
SHA256

012d2e1d126cd6d286170042142cb55669cb4d1109c1f2c00bc9902822a105ef
SHA512

657f7b2ff99a142cb9649dd2ca55783b720868c5e8f79ff3413cf4b44e4bc52c81fc0bc40e275e595157b6674d3bcae62affaddecb7560059a277baf0c604383
SSDEEP

1536:FkoVgaYJLFfLJEUI1qeXxyGA3N5eyD8SlNDSzvHFRiCCVGCWPGeSe+eooOoaoCo7:/tYJLFfLoWGA3N5ecY5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Del6BD9.tmp

Deletes itself 1 IoCs

pid	Process
4508	Del6BD9.tmp

Executes dropped EXE 1 IoCs

pid	Process
4508	Del6BD9.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\ddhnj.vbs	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\ddhnj.vbs	Del6BD9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Del6BD9.tmp

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	Del6BD9.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 668	3128	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	82
PID 3128 wrote to memory of 668	3128	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	82
PID 3128 wrote to memory of 668	3128	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	82
PID 3128 wrote to memory of 4508	3128	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	83
PID 3128 wrote to memory of 4508	3128	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	83
PID 3128 wrote to memory of 4508	3128	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	83
PID 4508 wrote to memory of 3640	4508	Del6BD9.tmp	84
PID 4508 wrote to memory of 3640	4508	Del6BD9.tmp	84
PID 4508 wrote to memory of 3640	4508	Del6BD9.tmp	84

C:\Users\Admin\AppData\Local\Temp\ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:668
- C:\Users\Admin\AppData\Local\Temp\Del6BD9.tmp
  C:\Users\Admin\AppData\Local\Temp\Del6BD9.tmp 712 "C:\Users\Admin\AppData\Local\Temp\ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del6BD9.tmp

Filesize
323KB

MD5
ee87b1f331162ae2c1a81d063431e18c

SHA1
d635e6ec5992d046518807f26048495edb8796c5

SHA256
012d2e1d126cd6d286170042142cb55669cb4d1109c1f2c00bc9902822a105ef

SHA512
657f7b2ff99a142cb9649dd2ca55783b720868c5e8f79ff3413cf4b44e4bc52c81fc0bc40e275e595157b6674d3bcae62affaddecb7560059a277baf0c604383

Download Submit
C:\WINDOWS\ddhnj.vbs

Filesize
266KB

MD5
8e5915159074918ea4d04bf06715a4c4

SHA1
8e98a3568fe653d890c8e58d78e3f094a60d922f

SHA256
f9553d6e62cd2c65b0defa28c3cb990811bf6c4e56d017b569752b88b5e2b223

SHA512
3aa84269f5e53645c4877c90830438d19d3e0b3dabfb65376e5305b06beb5ccb9f95e38bf0a3479078ad64d7cfdc26f0a87eda8466d67b0a66ee0922d3e27201

Download Submit

Analysis

Sharing