91d0fed9d4ffdce38cc0e93207008c63dca622e689c18592c7911ce64a813a43

General

Target

fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe
Size

404KB
MD5

fba33c4fd02d843d8c5ba13183438d16
SHA1

792f663e417e213614346f4470cad73fcb74404c
SHA256

91d0fed9d4ffdce38cc0e93207008c63dca622e689c18592c7911ce64a813a43
SHA512

366ef325389935cbce72d18696567379571475b029a50854f930a5e3216ab8feed2084ae78f5ff6ba7a0cba4593016c1bb59c1b26f426c4b44b8d2dcd2dde8ba
SSDEEP

6144:JliLMpWQbFK5bw4khFr8hZCsHNODtZL/GGdWvTndYqCr38:KQb45bw7r8DC0RVbJCrs

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4588	Magazine - BBC Electric Proms 2009 - mp4.exe
1900	7za.exe
1524	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magazine - BBC Electric Proms 2009 - mp4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4588	Magazine - BBC Electric Proms 2009 - mp4.exe
4588	Magazine - BBC Electric Proms 2009 - mp4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4588	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	82
PID 3472 wrote to memory of 4588	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	82
PID 3472 wrote to memory of 4588	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	82
PID 3472 wrote to memory of 1900	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	83
PID 3472 wrote to memory of 1900	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	83
PID 3472 wrote to memory of 1900	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	83
PID 3472 wrote to memory of 1524	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	85
PID 3472 wrote to memory of 1524	3472	fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fba33c4fd02d843d8c5ba13183438d16_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\Magazine - BBC Electric Proms 2009 - mp4.exe
  "C:\Users\Admin\AppData\Local\Temp\Magazine - BBC Electric Proms 2009 - mp4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Magazine - BBC Electric Proms 2009 - mp4.exe

Filesize
162KB

MD5
70b7c6e977a05ccd9ba2a3ada7d14bee

SHA1
0ff0986ba250e29dd68e76efb613dead3be0d5a6

SHA256
83331dc150a4326c7b50cedfe9d61660f5e94d75809736a334f9f0b28b2933ac

SHA512
4ebae7f4d01fd30cd72f39ae20a0e0ed4710159ec4d6822ac25aa28eaec7e89db414ee57cae7ff3c11cf691954d8d8e2755e03a8f1fd9f7def26eef0823448b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
0e95182baf5543903f671c45bbf285f7

SHA1
1849a45389a30b0b714f880cfade0a88ee8a9a9b

SHA256
4a964646ca0d6373c0280561053ac9cc6591c1ec7b3650834b87bef8a294dd04

SHA512
c74bb13fa4904ed91a9a6e23091a057b329519440255c5fe90db67d382f46e78128715bb7458239bc4b7e0d36ddca7439eeff7cea9720d9121e09dfc8b1c06e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy7496.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/1524-28-0x000000001B2D0000-0x000000001B376000-memory.dmp

Filesize
664KB

Download
memory/1524-27-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/1524-29-0x000000001B850000-0x000000001BD1E000-memory.dmp

Filesize
4.8MB

Download
memory/1524-30-0x000000001BDE0000-0x000000001BE7C000-memory.dmp

Filesize
624KB

Download
memory/1524-31-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1524-32-0x000000001BF40000-0x000000001BF8C000-memory.dmp

Filesize
304KB

Download
memory/1524-33-0x000000001BFF0000-0x000000001C050000-memory.dmp

Filesize
384KB

Download
memory/1524-37-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing