9281193e4502ea5231e4c5be6a987378fdf7010c72f880a5fc9940376b439d39

General

Target

fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe
Size

1.1MB
MD5

fab8dddc51857b7701e3bd31b85cdd65
SHA1

42eb5e91e45a0d00b159e8b2770a53d3d25be380
SHA256

9281193e4502ea5231e4c5be6a987378fdf7010c72f880a5fc9940376b439d39
SHA512

a949eb49972d1a6a4491c8091a24ac8481753ff11d90d892a16092a094740cb3f80aa0d162464569e3403e43037c1437ab558a0c70bc508517719029e5afb2f2
SSDEEP

24576:edxgKkMgS6G02uolau32IJIZ3cRd5Pt02sFl:IkK6GDuolg9cRd5P/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4068	Music.exe
3556	CSHack 2.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSHack 2.0.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe
3556	CSHack 2.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	CSHack 2.0.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 4068	1504	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	82
PID 1504 wrote to memory of 4068	1504	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	82
PID 1504 wrote to memory of 3556	1504	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	83
PID 1504 wrote to memory of 3556	1504	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	83
PID 1504 wrote to memory of 3556	1504	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\Music.exe
  "C:\Users\Admin\AppData\Local\Temp\Music.exe"
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Users\Admin\AppData\Local\Temp\CSHack 2.0.exe
  "C:\Users\Admin\AppData\Local\Temp\CSHack 2.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSHack 2.0.exe

Filesize
815KB

MD5
02c71941c205f1603ca8afffac3583a0

SHA1
cb2a085247392ea4eb834ab27d0e076fe67172b1

SHA256
6aeb26d964cae3779f94571ee1bd6b336c2efa023e93194f9817560c470ca426

SHA512
299db5c8f0d3fb3f74c093ae3a71e7c32b0598af0d461ea4f6e9b22edb581d4cb814803156c595806d4ecdf078cb2bb4040392f60f3547c3f8a022be2770b616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Music.exe

Filesize
15KB

MD5
0f487895395e75d1a493d1bdb3bc4852

SHA1
1c3ebc0233007e746a195769c927d6748cabe9f9

SHA256
d225db7c5c95612d4dbc013de1800bb415e11051d5109be0b7beacccc9da1a72

SHA512
9e26b03947982910e02f11b23ccb52f1549a32c2dcd7c3c26fae034a9e0d4f6882b49b6d7a144083d9dfaf8a95b0ab7a6b5632b262a9406b545718dd4ea66a0b

Download Submit
memory/1504-1-0x000000001BE50000-0x000000001BEF6000-memory.dmp

Filesize
664KB

Download
memory/1504-2-0x00007FFF448C0000-0x00007FFF45261000-memory.dmp

Filesize
9.6MB

Download
memory/1504-4-0x00007FFF448C0000-0x00007FFF45261000-memory.dmp

Filesize
9.6MB

Download
memory/1504-0-0x00007FFF44B75000-0x00007FFF44B76000-memory.dmp

Filesize
4KB

Download
memory/1504-30-0x00007FFF448C0000-0x00007FFF45261000-memory.dmp

Filesize
9.6MB

Download
memory/3556-34-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3556-43-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3556-41-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3556-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4068-28-0x000000001B940000-0x000000001BE0E000-memory.dmp

Filesize
4.8MB

Download
memory/4068-33-0x000000001C070000-0x000000001C0BC000-memory.dmp

Filesize
304KB

Download
memory/4068-32-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/4068-39-0x00007FFF448C0000-0x00007FFF45261000-memory.dmp

Filesize
9.6MB

Download
memory/4068-31-0x000000001BF10000-0x000000001BFAC000-memory.dmp

Filesize
624KB

Download
memory/4068-29-0x00007FFF448C0000-0x00007FFF45261000-memory.dmp

Filesize
9.6MB

Download
memory/4068-23-0x00007FFF448C0000-0x00007FFF45261000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing