9112ff45e06e893cb4eca5e45e69dc6383e9908fc1025cbc616aaeabc2f00f39

General

Target

ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe
Size

1.8MB
MD5

ef535403008e153353a6f169f9ed4013
SHA1

ae073a4139b6031778b6850535878170a7441743
SHA256

9112ff45e06e893cb4eca5e45e69dc6383e9908fc1025cbc616aaeabc2f00f39
SHA512

4fada6e6ed0f370f6d0da9a73fa7fe6a69d893d42496d990da76c9646a8a424c071302c896d58cf69ba4d611dec1c11addccbc9b953d2ff45f2125200e33c491
SSDEEP

49152:g5UyCgRTTSQGr4cvNB3PvgaCLrc3VhDyo:kCEavNrXR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 3 IoCs

pid	Process
5076	setup.exe
1184	server.exe
4460	plc32.exe

Loads dropped DLL 1 IoCs

pid	Process
5076	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\setup.exe	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\server.exe	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plc32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	plc32.exe
4460	plc32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 5076	4768	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe	89
PID 4768 wrote to memory of 5076	4768	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe	89
PID 4768 wrote to memory of 5076	4768	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe	89
PID 4768 wrote to memory of 1184	4768	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe	90
PID 4768 wrote to memory of 1184	4768	ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe	90
PID 1184 wrote to memory of 4460	1184	server.exe	91
PID 1184 wrote to memory of 4460	1184	server.exe	91
PID 1184 wrote to memory of 4460	1184	server.exe	91
PID 4460 wrote to memory of 3568	4460	plc32.exe	56
PID 4460 wrote to memory of 3568	4460	plc32.exe	56
PID 4460 wrote to memory of 3568	4460	plc32.exe	56
PID 4460 wrote to memory of 3568	4460	plc32.exe	56
PID 4460 wrote to memory of 3568	4460	plc32.exe	56
PID 4460 wrote to memory of 3568	4460	plc32.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ef535403008e153353a6f169f9ed4013_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\setup.exe
    "C:\Windows\system32\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5076
- - C:\Windows\SysWOW64\server.exe
    "C:\Windows\system32\server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\plc32.exe
      "C:\Users\Admin\AppData\Local\Temp\plc32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2540,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ci0-temp\install.bmp

Filesize
9KB

MD5
1463a5f9de903c9b0cdbc28920414b7f

SHA1
4a64da9fcdc2ef0588ec6c5d2a1e43e670b08648

SHA256
dca76d020730f2dff4852dd661880819753a074c50497536b9a4b6ffe8ea00c2

SHA512
ab65c14fab907d2536e9d4cc35fa88149d07304cc08dbc261fce055d953fa7d4fb8f62690a80bb9edfcc34f6ba7f540035c999a746ddce5f93ba0680159d7a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\gert0.dll

Filesize
88KB

MD5
33976355fddbceb0fbe54887ee4d1596

SHA1
914c49a8a58605186d7dabeb3a67b88578c84c14

SHA256
51baaf313b57462eaa38aaf69aea6e8dbbc20f3714343817266e7f35bc2235fb

SHA512
be34e4042074da841cfbdbe3a379489b7a968f69a2bb372ce5925e0328d259af2fc0d29d02a787b8d4cfe70158bfc018bf7f6da35c26e670aea847efe3cb8389

Download Submit
C:\Users\Admin\AppData\Local\Temp\plc32.exe

Filesize
63KB

MD5
5b6d8bab1a985efc291db70337a71203

SHA1
dd7b6d9980c6337b1f6279fefeda5658950ccb17

SHA256
4b23d1d95f83b98421889bf5d8831c33dad09853000168c4308d2b03b0c6ed07

SHA512
d2521d1a1179431d9b6e8095a7463952d7204b70325827a94c09196f8389a7fd3f0571c976e2be6fe12b6b1bf98ffadee1cc5b80fa7d4103c87e192da020f682

Download Submit
C:\Windows\SysWOW64\server.exe

Filesize
103KB

MD5
bcbc393197d2e314ffe083b9a5e4d76a

SHA1
583c38a839682518790a6b4b4ed5f95c20f43512

SHA256
f2e9d7ad823b5029a981d79453d39ae22002382167b07976cb031c301f4854f6

SHA512
812dff5a77656b9e69c606ca4ef992c73f84b409210a37bd78fb1bcabb832634f1afd167b62d73f6018d6797aec2ca08de2fc32fe0eb186c06f5a1a88e28d22c

Download Submit
C:\Windows\SysWOW64\setup.exe

Filesize
1.7MB

MD5
36dd5af0838d320007d34285fe4eab34

SHA1
3eb757301ff2dd29a4641078b6e1a04fe44eeeec

SHA256
6ca37baac1137b5b9e63974d3065335e6aece5984c0547c9ef229ee9936087ca

SHA512
21aa04af6be2a338bef83308765aec41cc125fea55a19bbb9a8e86d056e4b58196cf45644270c2f7b85348ac835f0e269c5ff485c9f7758f0f70ea0afc529e43

Download Submit
memory/1184-23-0x00007FFBF42D5000-0x00007FFBF42D6000-memory.dmp

Filesize
4KB

Download
memory/1184-30-0x00007FFBF4020000-0x00007FFBF49C1000-memory.dmp

Filesize
9.6MB

Download
memory/1184-29-0x000000001AF90000-0x000000001B02C000-memory.dmp

Filesize
624KB

Download
memory/1184-31-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/1184-28-0x000000001B560000-0x000000001BA2E000-memory.dmp

Filesize
4.8MB

Download
memory/1184-27-0x00007FFBF4020000-0x00007FFBF49C1000-memory.dmp

Filesize
9.6MB

Download
memory/1184-58-0x00007FFBF4020000-0x00007FFBF49C1000-memory.dmp

Filesize
9.6MB

Download
memory/3568-50-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3568-53-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/4460-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing