4df7df904dd601aa9409745ac03eebb82af2b38e305d291c50daa08575fd4fd4

General

Target

f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
Size

560KB
MD5

f63a59b6f4d36853de924dad804c6dab
SHA1

00073efc66f54bcf95c7de17d15939668e97a34b
SHA256

4df7df904dd601aa9409745ac03eebb82af2b38e305d291c50daa08575fd4fd4
SHA512

abcb86ae8f83af9276f0c73700631b9236fe08bebd9c0f1371b893609087afa1922007bef272667eb6e6770b8614f74ecabe8534e1521525604eb2e97fdab4b8
SSDEEP

12288:rTFmIDVPpBghDWVVWPU9RejrrwhtpNUuS1H0G2B:JWc9Rej/cUuZG2

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1372	9682.exe
1288	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Program Files (x86)\\system32.exe"	9682.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1288	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\system32.exe	9682.exe
File created	C:\Program Files (x86)\system32.exe	9682.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2012	1288	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9682.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1116	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	82
PID 1676 wrote to memory of 1116	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	82
PID 1676 wrote to memory of 1116	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	82
PID 1676 wrote to memory of 1372	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	84
PID 1676 wrote to memory of 1372	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	84
PID 1676 wrote to memory of 1372	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	84
PID 1116 wrote to memory of 1548	1116	csc.exe	85
PID 1116 wrote to memory of 1548	1116	csc.exe	85
PID 1116 wrote to memory of 1548	1116	csc.exe	85
PID 1676 wrote to memory of 1288	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	86
PID 1676 wrote to memory of 1288	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	86
PID 1676 wrote to memory of 1288	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	86
PID 1676 wrote to memory of 1288	1676	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s3l1a-yd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7CB2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- C:\Users\Admin\AppData\Local\Temp\9682.exe
  "C:\Users\Admin\AppData\Local\Temp\9682.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Users\Admin\AppData\Roaming\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 12
    3⤵
    - Program crash
    PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1288 -ip 1288
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\tasks[1].htm

Filesize
168B

MD5
a18b5b4084599a4331ce9bcca1843b32

SHA1
1e8f9ab3d8d79c36f2440c1e690612fdf8282cc0

SHA256
75074a91d7b2fd230fbf1ef5927ec0b6168a16785d24e9dffa8ebc57a28278be

SHA512
328101fe73a272ccea84b3b855564beb21a2431d5c5962fb157c2b15eb0cc7e74b88fcfae958d57e1b4290b6164e469b77fcbc251719c3d2a42e433b80bfe4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9682.exe

Filesize
119KB

MD5
db7a53837d26194d1f3ea4f31c55546a

SHA1
c887dccc0f4310980b1fd5ea46f048cc2b7a4bf8

SHA256
376b4d5bd45fad1d5878b6ed4130562d078ba73f4e19a200b23d72aaa50cf35a

SHA512
d47e60b41c93a5c92b60c175f9e31a4cc75f1a0dc0cb3ffd709ace4cd38ec7fec99e5ba661fdb9ab4305aa3913318b06dc265d99ff7d59a6be23ba4c3c96cdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CB3.tmp

Filesize
1KB

MD5
fcb20048959c945a68068adcc5bc04c1

SHA1
53f5781e3fa3a1f9f1c88731ff2be83043324981

SHA256
11c4fae2139a0af6c7a05b187cf26e6b281fa44bf1aa020b9490f0bf66a725d1

SHA512
0a4ba916c8a5a84906f9ae4c249207060cb72aa71a69581ba5d68cd3cd7877f1c3d794427591281144b5399b5b3f171d2b485af89e53116ec6a5bc50a7e384eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3l1a-yd.dll

Filesize
5KB

MD5
87747759ced84079dc66edd1c00f622a

SHA1
a8d05618695b02df2dd0e46cbf5f81b6f25048e3

SHA256
1f0db69e4cf4f15721b9eeffc9df741e64df1c9ed9dc029dc3cf0a29ffcc945d

SHA512
e49fe7a2191697d8d2d82b166e1aec9b25852185a603053e22bf335ee864beb8a48d6f96c60e7a4a4d4c46eead1371597109cec4e4c0c06d9bc56ec1da2bab58

Download Submit
C:\Users\Admin\AppData\Roaming\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7CB2.tmp

Filesize
652B

MD5
8a50d7de46dd7c7afd3ba31a640df142

SHA1
4104fde9063055ba22b1810fb1aafaa25cf9e19c

SHA256
d88ae41507f592d9ff48ce67e7eb990dd0e6b110371253fa9664066062f461ed

SHA512
32dd6a4e462b2dd990c4479d3311e380fbcfe28ffe5d6f85c469eff406e06b2ff69ba5dd8362a987dac756601b91f9658be60aaa3d0ce14ac54184a44dc942f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3l1a-yd.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3l1a-yd.cmdline

Filesize
206B

MD5
acd1d8e0fd0d74e25ba7145b5b07e563

SHA1
46a6f2b83d74f7793dc5af6ae921c8b695472f3a

SHA256
0106f9702e1f84089633381c15a596c060febe8c37bf161880c852c9e27d2d86

SHA512
35f68aaf3b24b58718761b66b54166cda8df850714f3148cefe5cb6794191063fcad733ceddd7864b1602468c43e4832f351369e52ab68e5f7dbbebcb886bc58

Download Submit
memory/1116-16-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/1116-23-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/1372-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1676-0-0x0000000075192000-0x0000000075193000-memory.dmp

Filesize
4KB

Download
memory/1676-2-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/1676-31-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/1676-1-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads