ca7f7fcf09e61568e9d86978e23d48b8c42079e889c9e82fc317e020a7c0fbce

General

Target

fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
Size

846KB
MD5

fd2f3590596c66a7c2292653817ca2c5
SHA1

6303391278335dc63a899f80bd3ec508340cfd98
SHA256

ca7f7fcf09e61568e9d86978e23d48b8c42079e889c9e82fc317e020a7c0fbce
SHA512

35b54b9d3767ee00d3ee671fb95d485bdad3104ff6a0939e29093003195c0577b31bb388163c6d5c15aaa16413bca0fc7b5edf1c717bcd658e9d5f138ce479ce
SSDEEP

24576:DtWEmllf2nhgPqqCO84G3bHkTwtcTBCQ2u2SN:D+KxtEG3bHkM412u22

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3952	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3952	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1992	2816	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	84
PID 2816 wrote to memory of 1992	2816	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	84
PID 2816 wrote to memory of 1992	2816	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	84
PID 1992 wrote to memory of 3968	1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	85
PID 1992 wrote to memory of 3968	1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	85
PID 1992 wrote to memory of 3968	1992	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	85
PID 3968 wrote to memory of 3952	3968	cmd.exe	87
PID 3968 wrote to memory of 3952	3968	cmd.exe	87
PID 3968 wrote to memory of 3952	3968	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\nst83E7.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nst83E7.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nst83E7.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst83E7.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26937.bat" "C:\Users\Admin\AppData\Local\Temp\26D80B573AF74AB48EDB148D88E46ACF\""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26937.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D80B573AF74AB48EDB148D88E46ACF\26D80B573AF74AB48EDB148D88E46ACF_LogFile.txt

Filesize
10KB

MD5
8f5787cb5569956b63f30eb3a7f67613

SHA1
5706e9a3d37768897143af4f18265b8b5c1129ed

SHA256
457f4d2e7add85d3e43ab3f83af2469ef4ddfc71e336161c264473357789af84

SHA512
3f6e768b1d5fe120f897077359268f0ac8fade5100091e418c49b5ed5df32d4582dc58e91f7a3b7a070e470c9489627b70ad7ae0303904bcedf74c1cf23c1e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\26D80B573AF74AB48EDB148D88E46ACF\26D80B~1.TXT

Filesize
124KB

MD5
f272f51a09dff964d966e52e7dd7bedb

SHA1
d23d3adf71691eb8ae54cbeed643e443ee854142

SHA256
586a507cecd7d179f7d65e641a474e7e58ba24b3888362d94cd0a82fec0dea75

SHA512
89c9db141014a366381da01434facde74f81bb5d219adc002f8c2dac9e263caad2e397bc153c00bd0b89d4c6365cd4b38f9ce0cea337a91a20896d703fc80dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst83E7.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Filesize
1.8MB

MD5
b1d671736e8e4afd77b6a84f52a85165

SHA1
3392417c0f9ed0a3b0c3bac4b66f22ed459b29dd

SHA256
9cffb8f38ca1ff1c7a6244e17dee39d8d379ba5816ced18aeadd91b46aa4a37c

SHA512
4ef78e54759f0a829daea4f79b75827dba6bf6a05666154112b535922a822152df40db2f2fca71fbfcf48ed8f3e730597a936bd8e40dc6192874c1608259b299

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst83E7.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118_icon.ico

Filesize
17KB

MD5
055c2cb77fa2edc2802b7fd397b9c213

SHA1
e6bf5af3427539bf609cfb8904b35803a06104d3

SHA256
78d0ed2288334f341225acee3d6200d01bb0bb80b873c448ab151d0661817bf2

SHA512
7dc2930b9ac4843cca0a073a9195ab0cfb684b29c13622d0f934fb4b4a45af0fbb3a033f6ba31216214a9cbc1966436c36dd065c44b014c5c2a03dfd0b005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst83E7.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118_splash.png

Filesize
12KB

MD5
fe272d040e82704707b19bfbf29d65ca

SHA1
460de628ea63986a7e6390a1623d8ba32dc82aee

SHA256
1cb036da61dc7b1ad62280681c724d74cbcc313d530a799728a4d38b4e2b1983

SHA512
8a03f9f3ce7af53b2f119f9bd001ff3fd39f879de88723306e2a6c7e8cae679d2095be6d4520ea24035c86140ef01a178a0b2535674be5c39b8b2dde4d082b1b

Download Submit
memory/2816-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads