fc2b5d7c4cd58e75f81769dd38ef9280f8e45d0a1abb1c01c7fdb779d7400c79

General

Target

f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe
Size

6.2MB
MD5

f0563e2e63b3b99da874d49285e1f83c
SHA1

96cc6ca610345d0c99abb584f40de09b8bc9a4c4
SHA256

fc2b5d7c4cd58e75f81769dd38ef9280f8e45d0a1abb1c01c7fdb779d7400c79
SHA512

9741f3663ba3c11ec7757c8d5ebce716eb0529cb1669442188d780206232207bacd89c36f8495d591b9188f7ec59545dae4f4b530a76c2e653946619b43b11bf
SSDEEP

98304:aTXsd4SE/+8WyvmzVja0S9aorgw1LEEk6G3uVpnfH7jbJZfb4MndVLvaKSRa:awdmZezVO0H+NRkhebnfbXzb4udzSY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1372	setup.exe
1724	SwSetupu.exe

Loads dropped DLL 3 IoCs

pid	Process
3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe
1372	setup.exe
1372	setup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\swsetup.in~	SwSetupu.exe
File created	C:\Windows\Hardcopy.log	SwSetupu.exe
File created	C:\Windows\SwSetupu.exe	setup.exe
File opened for modification	C:\Windows\SwSetupu.exe	setup.exe
File created	C:\Windows\swsetup.in_	setup.exe
File opened for modification	C:\Windows\swsetup.in_	setup.exe
File created	C:\Windows\swsetup.in~	SwSetupu.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SwSetupu.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	SwSetupu.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SwSetupu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	SwSetupu.exe
1724	SwSetupu.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1372	3032	f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe	30
PID 1372 wrote to memory of 1724	1372	setup.exe	31
PID 1372 wrote to memory of 1724	1372	setup.exe	31
PID 1372 wrote to memory of 1724	1372	setup.exe	31
PID 1372 wrote to memory of 1724	1372	setup.exe	31
PID 1372 wrote to memory of 1724	1372	setup.exe	31
PID 1372 wrote to memory of 1724	1372	setup.exe	31
PID 1372 wrote to memory of 1724	1372	setup.exe	31

C:\Users\Admin\AppData\Local\Temp\f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0563e2e63b3b99da874d49285e1f83c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\7zSED6B.tmp\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SwSetupu.exe
    setup.exe "C:\Windows\swsetup.in_" C:\Users\Admin\AppData\Local\Temp\7zSED6B.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSED6B.tmp\Hardcpy1.bmp

Filesize
5KB

MD5
d410440aeb1645f61ce6d55ec97dfcbc

SHA1
f692d4a989016b26f9f2eccf6ff740a4928965bb

SHA256
d7c49f084e1ec3128d2765e9d70253176e606db6cd8e2101368b4d55e27363d3

SHA512
85c1eb5a3ad5cbd41eea31274ce6dfa1773841925df84510aaf51b4d251644b29e8e504bea29a485274efbf95c40863acd5e2d4c1914972c87c89e7f082c9f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSED6B.tmp\swsetup.exe

Filesize
1.6MB

MD5
32569edf3af46ada7086eed0c020759f

SHA1
a841d77305fb2ebff810e8e44649d8ef08212e03

SHA256
a25b28198a45343ea4312d603087349c05965590348690c7e1644307eef40209

SHA512
87e8b55bae8aa2431f018c426b0da9aa1c929793108a44478c5ef7ece01110761cbff8be694e8aec64d924ddcc2c743db4cce3ddbba34c6ae85a49aa1e92e8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSED6B.tmp\swsetup.in_

Filesize
12KB

MD5
8f895db008627305dbdd266f67c0012f

SHA1
aba72a9f2d22676bb6686fb72ce485f7dd806950

SHA256
4b03ae02bbb85c2a1f9cfdb58173f680aceb334d8f0d1f3bd8ec69ebb1e336ec

SHA512
a854fcc4e82e68a07903528101196f12f6bdd023190a1b3529f27781d1a0107fea6cee735d829da7a6b3b7c5387b8c5558e82ebf9448d4bbd977e6bd5fde6a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSED6B.tmp\version.ini

Filesize
31B

MD5
aa456922f38f58bc861a0c5986b19935

SHA1
54d9c10f7e7ea74805364282eae3dbc1cf4d2053

SHA256
e03df05e2539e663c1158d102e9b317cbb52a3434c1e55194bd69c3990c5be5c

SHA512
deb2ad8990ada56564656836c26b744d601be91d52133089bb3d7e757646734142ec7366a9da3d67295ab983554b68c275c076ea28aa95a32e42d3e25600a343

Download Submit
\Users\Admin\AppData\Local\Temp\7zSED6B.tmp\setup.exe

Filesize
46KB

MD5
1fe3b3c141a5f78a459ece553d5ce9e8

SHA1
a0e43f98883fe2df2ec46d5a0e9a000712f54b4f

SHA256
e1a6ce074da23152bc36d68141ce95f97cba89198da003f036a372d45903cd6a

SHA512
1fcd9ecd99d7b2d24eb7acc643870cad4d85028363309fe65ba632df1413f640be8183ee4e820879f681504920f9af452642ba454555eccf52e6de26465362cc

Download Submit

Analysis

Sharing