b3e1c93381cb5baa71fe115b5c5b6008e7a41a8cdd2126821b0c6925476b189c

General

Target

fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
Size

123KB
MD5

fdae8a2fa0a40c823adfcff270b86516
SHA1

38ed6d94b25392cb43e2e9c1ac143d3831f409f6
SHA256

b3e1c93381cb5baa71fe115b5c5b6008e7a41a8cdd2126821b0c6925476b189c
SHA512

04726038e5b283f5203c4d945a030419acffc7256ba8be1f3df96ad32701b1b13ce7f932d80bb7f7de4ce5433f36ebd60a7440b14d72f5dc402247db801d6c95
SSDEEP

768:SuBqXCpLszRX+mzgFCipZw7RjMauxBAOK/2uxBAOK/1AiJyPCp05N3FnT:ZBqSpLsVXPcCGRxCOK/1xCOK/76NVnT

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3136	GaiaOnline Gold Granter.exe
1608	gaia gold server searcher.exe
632	gaia gold server bypasser.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4992-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4992-31-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaia gold server searcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaia gold server bypasser.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3136	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	85
PID 4992 wrote to memory of 3136	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	85
PID 4992 wrote to memory of 1608	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	86
PID 4992 wrote to memory of 1608	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	86
PID 4992 wrote to memory of 1608	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	86
PID 4992 wrote to memory of 632	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	87
PID 4992 wrote to memory of 632	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	87
PID 4992 wrote to memory of 632	4992	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\GaiaOnline Gold Granter.exe
  "C:\Users\Admin\AppData\Local\Temp\GaiaOnline Gold Granter.exe"
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\gaia gold server searcher.exe
  "C:\Users\Admin\AppData\Local\Temp\gaia gold server searcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\gaia gold server bypasser.exe
  "C:\Users\Admin\AppData\Local\Temp\gaia gold server bypasser.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GaiaOnline Gold Granter.exe

Filesize
21KB

MD5
ff94479fd616dd1569432e6de291352b

SHA1
6f25174c49eca86e7cd5ae669a9fa7bbb14456e2

SHA256
d3c0d3c07addd9edf098d011bff6f9ed2193985d161da3c5100092a44d8a940b

SHA512
57ed5a1ea517477dafc57c99ea747654797ac933cc77bfb32ccbbef2492a679361718b525ac4f037a9c96356b3affa0f2caff149a9510078fbcd27e9cb48b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaia gold server bypasser.exe

Filesize
24KB

MD5
1772d750efe4723464b63e6d454f31ed

SHA1
16cd335bcd1718619d865e50a1b3f4e692d7ab28

SHA256
45217507b0a8f8b69b2a15d713534329ad41bfc3241b3126e61dd9138ecdb7a1

SHA512
879bbda26bd459b4e01d0d22b4e755269b86a99c30310c5a32ebc6f411040d4b39318a08a1cbf3d9697232d304407805943a98ca236656ab830ad949e5eea3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaia gold server searcher.exe

Filesize
24KB

MD5
8ddf4bc8ba51c97892e8d977af5f171a

SHA1
b389b20a3510fa7acfc4c8e361c7311a665201bc

SHA256
8f1dff0e3afdb3c815597f039999f7730a3893f580a19ceca9d5d5be20191923

SHA512
0633121d2ecf3eb2298fa5618e2b2ab72568151b2f59a39d3e4bbb874e950ca77fd63317634fb9faa6b013e33d1c7ebb353b35dfda082a87aa7b0a351bbce870

Download Submit
memory/3136-39-0x000000001C300000-0x000000001C34C000-memory.dmp

Filesize
304KB

Download
memory/3136-32-0x00007FFBD72C5000-0x00007FFBD72C6000-memory.dmp

Filesize
4KB

Download
memory/3136-33-0x000000001B670000-0x000000001B716000-memory.dmp

Filesize
664KB

Download
memory/3136-34-0x00007FFBD7010000-0x00007FFBD79B1000-memory.dmp

Filesize
9.6MB

Download
memory/3136-35-0x00007FFBD7010000-0x00007FFBD79B1000-memory.dmp

Filesize
9.6MB

Download
memory/3136-36-0x000000001BBF0000-0x000000001C0BE000-memory.dmp

Filesize
4.8MB

Download
memory/3136-37-0x000000001C1A0000-0x000000001C23C000-memory.dmp

Filesize
624KB

Download
memory/3136-38-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/3136-40-0x00007FFBD7010000-0x00007FFBD79B1000-memory.dmp

Filesize
9.6MB

Download
memory/3136-41-0x00007FFBD72C5000-0x00007FFBD72C6000-memory.dmp

Filesize
4KB

Download
memory/3136-42-0x00007FFBD7010000-0x00007FFBD79B1000-memory.dmp

Filesize
9.6MB

Download
memory/4992-31-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4992-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing