292774947bc0ebacb4f38b801f264cbbfffe3eb7a79320fafa245cd62424307e

General

Target

ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe
Size

133KB
MD5

ff04ba3860366f3963fe0cf0067f7082
SHA1

99e1d45140c906890469265731c6a6aeb98a1a15
SHA256

292774947bc0ebacb4f38b801f264cbbfffe3eb7a79320fafa245cd62424307e
SHA512

0325bbdfdf5f6ae97322aaf99dcf7e76e0e5de0980a27edc765ed68eae6ac8ea93d967a30199e54eba00337935771b6f2a7303e1f052d4ed5868ef03c5b6fb7a
SSDEEP

3072:DK3gKNPYSYSvzDRAKYc031mhIJGuw14Hzr8WpaW6CwI5Rj4F63i688DviG:DKwqYlSbFAKYT1mhIw9KU5CwI9

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
1	5068	rundll32.exe
36	5068	rundll32.exe
50	5068	rundll32.exe
56	5068	rundll32.exe
57	6104	rundll32.exe
61	6104	rundll32.exe
63	6104	rundll32.exe
67	6104	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
5068	rundll32.exe
6104	rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5560-0-0x0000000000010000-0x000000000004C000-memory.dmp	upx
behavioral2/memory/5560-2-0x0000000000010000-0x000000000004C000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\machinez.inf	rundll32.exe
File opened for modification	C:\Windows\inf\machinez.inf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5560 wrote to memory of 5068	5560	ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe	89
PID 5560 wrote to memory of 5068	5560	ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe	89
PID 5560 wrote to memory of 5068	5560	ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe	89
PID 5068 wrote to memory of 4616	5068	rundll32.exe	100
PID 5068 wrote to memory of 4616	5068	rundll32.exe	100
PID 4616 wrote to memory of 6104	4616	RunDll32.exe	101
PID 4616 wrote to memory of 6104	4616	RunDll32.exe	101
PID 4616 wrote to memory of 6104	4616	RunDll32.exe	101

C:\Users\Admin\AppData\Local\Temp\ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff04ba3860366f3963fe0cf0067f7082_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5560
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysTem32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl

Filesize
72KB

MD5
7dc92759d4d936c495eefabb43461205

SHA1
51234a77d3b579f3bb37fe26b70f344557b94abb

SHA256
26524a70d763815c176bd62b87977ab63f9099788cb280e8d1f9a833e9a9d011

SHA512
2da960352ac36b7f0579183f447e440e80b7170ab9b867e5c104375d6212681934413f84e96cd72ddc72e6d0b081ae1f36825748808082a4d0e13f1aab7103b7

Download Submit
C:\Windows\inf\machinez.inf

Filesize
209B

MD5
9a53f7981d0efd8da4d1110ff641112e

SHA1
8efc36e35b5f995d6ce1d313f87d8ffe49d76e73

SHA256
5b7bc2a1371ea4a96919e03b096f7f947669d4c2f8aa9c848eaf6790f18cbd62

SHA512
720d4d6d147c54dbe24269ddec584fa5dcd3f730b5e247ff77282b38819385111072c62d2b916418d77aff4bb258452af23ea67d07387dad189e606fbfdab70e

Download Submit
memory/5068-5-0x0000000000010000-0x000000000005D000-memory.dmp

Filesize
308KB

Download
memory/5068-7-0x0000000000010000-0x000000000005D000-memory.dmp

Filesize
308KB

Download
memory/5560-0-0x0000000000010000-0x000000000004C000-memory.dmp

Filesize
240KB

Download
memory/5560-2-0x0000000000010000-0x000000000004C000-memory.dmp

Filesize
240KB

Download
memory/6104-16-0x0000000000010000-0x000000000005D000-memory.dmp

Filesize
308KB

Download
memory/6104-19-0x0000000000010000-0x000000000005D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads