ee5c551c628f1d8e12b9552af557de33f7b2f1b26ab8118f5876dc3716d2f65c

General

Target

faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe
Size

1.2MB
MD5

faeb0dd37f78b31302f32584a087a765
SHA1

7f51e3df8f6ab33215001a95ba6899b186caeafc
SHA256

ee5c551c628f1d8e12b9552af557de33f7b2f1b26ab8118f5876dc3716d2f65c
SHA512

91cfc116cf53f0a22024a7e085314b8a85c87fd6867397001248497cc581e3d6b648d16a4d9be90b33528f225e7aab8e4da477862dce8fcce2869d362d80a0a2
SSDEEP

24576:Ec//////VEqZkTh6gazysQATrtsLDgCjGx96AxvtyrM9gdTZ7XH8/B7WTky:Ec//////uqZgkgxsNQDbjGx9pvtABpXL

Score

7^/10

discovery persistence upx vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	11111111111111111111111111111111111111111111.exe

Executes dropped EXE 2 IoCs

pid	Process
4772	11111111111111111111111111111111111111111111.exe
4864	xodnf.com-dnfpomo0701B.exe

Loads dropped DLL 2 IoCs

pid	Process
4288	rundll32.exe
4288	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000700000002361e-23.dat	vmprotect

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\systemp	11111111111111111111111111111111111111111111.exe
File created	C:\Windows\SysWOW64\sfcos.dll	11111111111111111111111111111111111111111111.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	11111111111111111111111111111111111111111111.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4772-5-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0008000000023618-6.dat	upx
behavioral2/memory/4772-21-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\rose.jpg	11111111111111111111111111111111111111111111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4308	4288	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111111111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xodnf.com-dnfpomo0701B.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4864	xodnf.com-dnfpomo0701B.exe
4864	xodnf.com-dnfpomo0701B.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4848	1000	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	89
PID 1000 wrote to memory of 4848	1000	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	89
PID 1000 wrote to memory of 4848	1000	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	89
PID 1000 wrote to memory of 2160	1000	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	91
PID 1000 wrote to memory of 2160	1000	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	91
PID 1000 wrote to memory of 2160	1000	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	91
PID 4848 wrote to memory of 4772	4848	cmd.exe	93
PID 4848 wrote to memory of 4772	4848	cmd.exe	93
PID 4848 wrote to memory of 4772	4848	cmd.exe	93
PID 2160 wrote to memory of 4864	2160	cmd.exe	94
PID 2160 wrote to memory of 4864	2160	cmd.exe	94
PID 2160 wrote to memory of 4864	2160	cmd.exe	94
PID 4772 wrote to memory of 1364	4772	11111111111111111111111111111111111111111111.exe	95
PID 4772 wrote to memory of 1364	4772	11111111111111111111111111111111111111111111.exe	95
PID 4772 wrote to memory of 1364	4772	11111111111111111111111111111111111111111111.exe	95
PID 4772 wrote to memory of 5096	4772	11111111111111111111111111111111111111111111.exe	96
PID 4772 wrote to memory of 5096	4772	11111111111111111111111111111111111111111111.exe	96
PID 4772 wrote to memory of 5096	4772	11111111111111111111111111111111111111111111.exe	96
PID 5096 wrote to memory of 4288	5096	cmd.exe	99
PID 5096 wrote to memory of 4288	5096	cmd.exe	99
PID 5096 wrote to memory of 4288	5096	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe
    C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\sfc.exe
      "C:\Windows\system32\sfc.exe" /REVERT
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\del.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\5426.tmp",Runed
        5⤵
        Loads dropped DLL
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 748
        6⤵
        Program crash
        
        PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe
    C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4288 -ip 4288
1⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\rose.jpg

Filesize
68B

MD5
6c24a881dd26c9a53bc39e611834f6d7

SHA1
b606294cea3af1532644a236174ceffd3d1ae701

SHA256
bced0c5c91b8d94bfdf72a2348726c0e093784711c3e1283fabfc317dd745c3e

SHA512
a9fe841eba44bb17cbd7938c974ce5e5108a157e3241e2c70625824081b172b577fd8d1771907d582a62a9ddd39527fd341b36182bfd963d808440f9d25ec993

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe

Filesize
35KB

MD5
5e525156a93b2765c7bedb4f91ffdaaa

SHA1
ba8397a60cd2ce6478ae4e481a5229bad257814d

SHA256
67087607947f51641c2dd9a4b5e2b200667e03a595b80a27a4ad758faebd80ae

SHA512
f946010994ba03e1f1efa32ca2b20b4688c7cfeb03a01be9cb13a02d897d333454ffafb5b384a2d5437de0a193d83b29d646fd5cb4fb1ecf33ae08bd7561320a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5426.tmp

Filesize
47KB

MD5
15642dcd5e18b98eb8d3c50fd41a418c

SHA1
770b5b0b7b586801a67512766971b2c02a0d6eda

SHA256
ea33701f33beae443460054b2553c12d2d51b31883aa4c68ff720f127612e7ba

SHA512
c774516ea3ab0958101e2bb1d21b71b61ed40976d524240bc80062e8ba467e5e764e1ab6bbeec985c61ca2c80c9f3400f0d6e157880562f86bd5f38d52453b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe

Filesize
1.1MB

MD5
be42ec34d1494c587c8cffe99ef5d5c6

SHA1
ecf6b784b3649159ab3d33dea9d3144faf0676f3

SHA256
9f59189c97391308a6e179f230135e88f3f74b4f09015c3e5403ad32dfeb619f

SHA512
7c7a54a8d742d5ddc9cbb96fba7941f8acd1e18d3a3897e5481f290f89be024eec021e92599f0ec0091a0d125bdfa2b02936ba10b5222e627ab2f13e937f2483

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
\??\c:\del.bat

Filesize
283B

MD5
76d913576fd539e436e7a62de774e575

SHA1
2d43fada0a2c37bd1feb3e73ea3375d6ff45a162

SHA256
e1b237228dcc320246569b51cbaad2cce2320451ac91b83c672d019f5a93ade4

SHA512
5f31280a1beed50fe1c8600fd0899487a93474efc15d1557abf87e86bb63b2d5a06a1e725364d3c2ff6857d0c03302736a9130202b4102b0c39ac1b4e90a5a78

Download Submit
memory/1000-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4772-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4772-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4864-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads