5eb32845ec057e47ed62d0ac3f86cfa7a11f94caa95038e6f07929c35e0c555b

General

Target

efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
Size

369KB
MD5

efbcb62c2f180599cbe7d4925e30324b
SHA1

a41da44737478a6b2180639dbf931754a04d5ee8
SHA256

5eb32845ec057e47ed62d0ac3f86cfa7a11f94caa95038e6f07929c35e0c555b
SHA512

1797f314186f51ccc246728e99260f581fe370593b0390a79068b6bd811da9231cd1583230bb460e4d1b84fa32fb779887cebc9a884128c21b44d8d0a0a3cb61
SSDEEP

6144:UQqOAE4QqtfosaF2pC3gRrxFNQ1EwU4hQ1lxKuPIYt1Iy8tZSIOZrc5ovh2/juMl:7AEwoHF8/rxTR9vx1gYo5t7OZrWfhz

Score

7^/10

discovery vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	cfÎÏÅ£Í¸ÊÓ.tmp

Executes dropped EXE 3 IoCs

pid	Process
4996	cfÎÏÅ£Í¸ÊÓ.exe
3196	ÎÏÅ£Í¸ÊÓ.exe
3812	cfÎÏÅ£Í¸ÊÓ.tmp

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00080000000234db-15.dat	vmprotect
behavioral2/memory/3196-22-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral2/memory/3196-26-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral2/memory/3196-53-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3196	ÎÏÅ£Í¸ÊÓ.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\DcomServer\DcomServer.exe	cfÎÏÅ£Í¸ÊÓ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfÎÏÅ£Í¸ÊÓ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÎÏÅ£Í¸ÊÓ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfÎÏÅ£Í¸ÊÓ.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4880	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3196	ÎÏÅ£Í¸ÊÓ.exe
3196	ÎÏÅ£Í¸ÊÓ.exe
3196	ÎÏÅ£Í¸ÊÓ.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4996	5100	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	84
PID 5100 wrote to memory of 4996	5100	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	84
PID 5100 wrote to memory of 4996	5100	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	84
PID 5100 wrote to memory of 3196	5100	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	85
PID 5100 wrote to memory of 3196	5100	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	85
PID 5100 wrote to memory of 3196	5100	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	85
PID 4996 wrote to memory of 3812	4996	cfÎÏÅ£Í¸ÊÓ.exe	86
PID 4996 wrote to memory of 3812	4996	cfÎÏÅ£Í¸ÊÓ.exe	86
PID 4996 wrote to memory of 3812	4996	cfÎÏÅ£Í¸ÊÓ.exe	86
PID 3196 wrote to memory of 3704	3196	ÎÏÅ£Í¸ÊÓ.exe	87
PID 3196 wrote to memory of 3704	3196	ÎÏÅ£Í¸ÊÓ.exe	87
PID 3196 wrote to memory of 3704	3196	ÎÏÅ£Í¸ÊÓ.exe	87
PID 3196 wrote to memory of 2084	3196	ÎÏÅ£Í¸ÊÓ.exe	88
PID 3196 wrote to memory of 2084	3196	ÎÏÅ£Í¸ÊÓ.exe	88
PID 3196 wrote to memory of 2084	3196	ÎÏÅ£Í¸ÊÓ.exe	88
PID 2084 wrote to memory of 4880	2084	cmd.exe	90
PID 2084 wrote to memory of 4880	2084	cmd.exe	90
PID 2084 wrote to memory of 4880	2084	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe
  "C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\is-LG12B.tmp\cfÎÏÅ£Í¸ÊÓ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LG12B.tmp\cfÎÏÅ£Í¸ÊÓ.tmp" /SL5="$901DE,53248,53248,C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3812
- C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe
  "C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 C:\WINDOWS\system32\shdocvw.dll /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /f /im empty.dat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im empty.dat
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\DcomServer\DcomServer.exe

Filesize
128B

MD5
5e3812d33b1c435db63bccf731438791

SHA1
879647516dd5ae0502cad6bd1c1cc2ea2d42c6d0

SHA256
3a07075a82de5dadd35479f057996673a953c8db0a44402b56c839f5a29520b2

SHA512
616ef8465c37d89a29c449eb477fc78b9e6bf39ce45e94345be762e30fc16ff772f7083694479c6867328f68e45785b948b8bb22a145e27b0a57cfe40a8e8ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe

Filesize
293KB

MD5
0c4bc62787fc144a93b21a94677bb3ad

SHA1
3264002ac77ffa02579ace7922446eb26fc62cf5

SHA256
b8b724b34b232d6a642d358b0dee70fd0db52be6e24386d799cd44b7812025eb

SHA512
1c566783b903ed9c064a10cbb034b42db73627b7fd5ab22b3ec012bc517e8e583fa72bdabccf5ab047c1e27be1e3d6f8159f4f675217b0348ca58991875c34b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LG12B.tmp\cfÎÏÅ£Í¸ÊÓ.tmp

Filesize
681KB

MD5
8e3e4508030c1ffdb0196309114eb841

SHA1
33656ec0c5b5ab8ce4ac566be0a95a96ec4ac40c

SHA256
6d9b3b086a0cd15c9fd32cf639c61e52d4d928d0112a7bb75e95f010e995dd2b

SHA512
6f16872abeb2de9ce3d881cf4b13778af03a305b068e99a8e59735bd4c13b5ad6f24a7aa44c2327cbfbb8351324ab85bb2157d719249fa29eb6f46061badffa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe

Filesize
84KB

MD5
cba0fa0915bf758b46c8a67ff2e5f5b5

SHA1
de0997c8671074c632c27fbf17c657d1c4219ff4

SHA256
6a3f90d5b0a892386a31473e72a07736e2f11a7aa1c95f43e483f8fd27452b5a

SHA512
0b925dfad6caa5ba59ceba727f71b97f16e919cee178c15886f563955d5abcbdc72e4c2b17e6a18267ef7bd74ac2e2128d5e361105834711c71ffc27cc9ac479

Download Submit
memory/3196-53-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3196-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3196-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3812-61-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3812-55-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3812-63-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3812-65-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3812-38-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3812-90-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3812-101-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4996-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4996-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4996-25-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4996-102-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing