c7a08592bdf69cac3585687e7901b3864d46a17c3f3b41638f59d4b62dc2b6e2

General

Target

0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
Size

336KB
MD5

0013210c0c72e1986c321e41190b187c
SHA1

103fec1a835e5481d17affa4cba6b0728e7be778
SHA256

c7a08592bdf69cac3585687e7901b3864d46a17c3f3b41638f59d4b62dc2b6e2
SHA512

787cdc54b32e7fda314f0c0d8a9c149741d85cdc16755b2a196d5fd79d5c5c07157614017be399ebdd569dc9f132829fc3a6800639a98ff1c1aeb7c5eeb5b925
SSDEEP

6144:+8U2qy6rRZb7jxGYKSTJDPM83llq9v+evY56asFmZluUbbVizdKRJoE5:gzy6rRxE8UOlwvVvY5homZIUM0Rqe

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\__tmp_rar_sfx_access_check_240623781	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\127014_128820_f_640x480.jpg	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\127014_128820_f_640x480.jpg	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\start1.exe	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\Death.bat	start1.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hоsts	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hоsts	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\start1.exe	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	start1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malwox.exe	start1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malwox.exe	start1.exe

Executes dropped EXE 1 IoCs

pid	Process
1444	start1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1444	start1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1444	2420	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe	82
PID 2420 wrote to memory of 1444	2420	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe	82
PID 2420 wrote to memory of 1444	2420	0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe	82
PID 1444 wrote to memory of 1596	1444	start1.exe	83
PID 1444 wrote to memory of 1596	1444	start1.exe	83
PID 1444 wrote to memory of 1596	1444	start1.exe	83

C:\Users\Admin\AppData\Local\Temp\0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0013210c0c72e1986c321e41190b187c_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\drivers\etc\start1.exe
  "C:\Windows\system32\drivers\etc\start1.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\drivers\etc\Death.bat" "C:\Windows\system32\drivers\etc\start1.exe" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\drivers\etc\127014_128820_f_640x480.jpg

Filesize
133KB

MD5
707b441ffca81e2d2d884c27e92f6899

SHA1
9c847992fa5af864ba8b230fb8c48a7f76acc2d3

SHA256
957cfd51a3c7d5dd11af2036e03f760c6151cdc082bb49008adfbf2f7efb1e3b

SHA512
1f3b951442d5bf5ac9decce94954103a2ec90741dc447a2a0a2d2ef1608554fdd745e75fdf9814bcaa3c773ea49f0df5537f78558e83f70edc27204ff1e8456c

Download Submit
C:\Windows\System32\drivers\etc\Death.bat

Filesize
38B

MD5
50a94effec08179504ef46949486ef63

SHA1
c36bcfbc6d85d0ae7b5642655985ecc2ab1f9e1d

SHA256
149194e913c7900de706a6a48db7695059b91fd63ebc75b373355c7009fb62e2

SHA512
095c1914e290377676cfbf07c52fb321d8e51638229810e560447e4db51d2e4dff8bfa870b009029692e12c0b9fe9c1fcf74dde30c3f68297631ff4ea6bbe283

Download Submit
C:\Windows\System32\drivers\etc\start1.exe

Filesize
85KB

MD5
1fdedba9d6a2a34d161dd82a58bfa957

SHA1
95b8b6ce5cde603ae1eb7cc1bba7c93046034bce

SHA256
5fdc780cb9d0493aa9376ad9bb01dcb0b45b629ad19e661e490190629f470a3d

SHA512
fa6dd3e9e834ce1462481aa2d24d9bc7642cf5f163f40aebb7962fa3abd9981e7363fa70b7f0a30815559f64e28fb1442210d555479b7ed8a4b4858ef96d6ec7

Download Submit
memory/1444-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1444-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing