b112c45475b30c2f94b1eeadf4fa2c284ba5b5354da25051a18d963ddab7b860

General

Target

06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe
Size

646KB
MD5

06b92d6c76be3fd40ce44eb12774feb2
SHA1

2735b6ac837a2402ba5cdd1bf1793c7b7337339c
SHA256

b112c45475b30c2f94b1eeadf4fa2c284ba5b5354da25051a18d963ddab7b860
SHA512

3d1785132ab4d2676771d7ceed488c8695aa7522d0a9259c26e18989675b14bf6c2471b3afba9a4ceef759ad4d943c4a6b6caaa4d9a5f5a803688e5215d9a11e
SSDEEP

12288:XR3c8JzAyJLu+oQBfdPl2fYPLu/lTUEniLKUMbD1WFMEqUGG:XR3c6AyE+NBlPl7L2lTUoi+dnKmbG

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2104	Kban0.exe
2760	Kban1.exe
3940	QQ.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233ef-4.dat	upx
behavioral2/memory/2104-8-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/3940-26-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2104-30-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/3940-32-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\QQ.exe	Kban0.exe
File opened for modification	C:\Windows\QQ.exe	Kban0.exe
File created	C:\Windows\uninstal.bat	Kban0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kban0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kban1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	Kban0.exe
Token: SeDebugPrivilege	3940	QQ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3940	QQ.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2104	2452	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe	82
PID 2452 wrote to memory of 2104	2452	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe	82
PID 2452 wrote to memory of 2104	2452	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe	82
PID 2452 wrote to memory of 2760	2452	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe	83
PID 2452 wrote to memory of 2760	2452	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe	83
PID 2452 wrote to memory of 2760	2452	06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe	83
PID 3940 wrote to memory of 2636	3940	QQ.exe	85
PID 3940 wrote to memory of 2636	3940	QQ.exe	85
PID 2104 wrote to memory of 4332	2104	Kban0.exe	86
PID 2104 wrote to memory of 4332	2104	Kban0.exe	86
PID 2104 wrote to memory of 4332	2104	Kban0.exe	86

C:\Users\Admin\AppData\Local\Temp\06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\Kban0.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban0.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
- C:\Users\Admin\AppData\Local\Temp\Kban1.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760

C:\Windows\QQ.exe
C:\Windows\QQ.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kban0.exe

Filesize
295KB

MD5
3e563f8bd128ad2fbebed6dc1123f4ed

SHA1
d8951a7e9c8a9d77aec67ce756d1c15c998c033b

SHA256
fe45159d1bc8ffc4a81c7bb92daccd85ed688e848ed60071f365a87c1d637340

SHA512
2d403f785b94249822ed73465099671a9f652c282d9affa1e3560eca806a38739409a9587c62699f38f77f94824ebb630fb79d9f90ec4c8041cd8bb31c2bd422

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban1.exe

Filesize
328KB

MD5
6ff7294765026d3f74e5c2d111460590

SHA1
5ecd3bc899761ff2a312186a27941e62fc4c5351

SHA256
c9bf41b9c56d75e0b08c26f1bc1d1aa32831fca2ecea9f8d8993ef0a4594fc9f

SHA512
97bff9644722945a0873add2a9e66f24d225315d3b2e0294a0bbf4bf38f45f21681add008d6b9b1ece8ff09c84b1d0ccdf06c017d86a2a0aacfe01206143bf06

Download Submit
C:\Windows\uninstal.bat

Filesize
136B

MD5
9fc21a6ada20429e4027c9d18895366c

SHA1
a9bc15297ce86b8b628d1080053d75f62d5ba862

SHA256
d89d3cd9c47a0effcd876f9107f9d99b8420fe72b283cd68af47b4e2254ef031

SHA512
f1d4cbbcd0f15f0c25491d73565c73adfc45f7fa727f31551f75758b35a0f50a7442da91a6b7547ab702d78d6156d173bf4dce4b1d1a3da741e0bb67e8b2ecdd

Download Submit
memory/2104-8-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2104-21-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2104-30-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2452-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3940-26-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3940-27-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3940-32-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3940-34-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing