b96420c807044297b54212a4fa9b1256dc8b21eadf938a2cb9ec64370df60255

General

Target

0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe
Size

1.7MB
MD5

0835366c0a5d665d1521c21eb6a799c7
SHA1

0bd318c46ece020119c99ba4114174bcdf53119d
SHA256

b96420c807044297b54212a4fa9b1256dc8b21eadf938a2cb9ec64370df60255
SHA512

f2b0df00bb879d2d0531b033d9a559c7e3fd3e193407583c72778299f5296800beef9ea97997c1e34dfe177dc95bb3af0f1ab4677a0a841da4545ffc26b14c7a
SSDEEP

49152:j9A0F15M0lph/x2A9XObbNDJ0IR807LMCIoRz2n1xRaq+:ZA0La0lfM8exl/R80fPVxq+

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Executes dropped EXE 2 IoCs

pid	Process
4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
1576	Sc355.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000235b3-44.dat	upx
behavioral2/memory/1576-47-0x0000000000400000-0x00000000005E3000-memory.dmp	upx
behavioral2/memory/1576-55-0x0000000000400000-0x00000000005E3000-memory.dmp	upx

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\basic-launcher-scite\is-GF2E1.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-SSQSI.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-JE47E.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-BUC51.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\RfoCodeFinder.exe	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\Sc355.exe	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-CBLCT.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\AdbWinApi.dll	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-LPO68.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\unins000.dat	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\adb.exe	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-I6P9H.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\unins000.dat	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-69ICV.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-21NDP.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File created	C:\Program Files (x86)\basic-launcher-scite\is-JD692.tmp	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\rfo-basic launcher.exe	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\basic-launcher-scite\AdbWinUsbApi.dll	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sc355.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\shell	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\shell\open	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bas	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bas\ = "scitebasiclauncher"	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\shell\open\command	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\ = "RFO-BASIC! program"	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\DefaultIcon	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\DefaultIcon\ = "C:\\Program Files (x86)\\basic-launcher-scite\\Sc355.exe,0"	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scitebasiclauncher\shell\open\command\ = "\"C:\\Program Files (x86)\\basic-launcher-scite\\Sc355.exe\" \"%1\""	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe
1576	Sc355.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4536	3412	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe	89
PID 3412 wrote to memory of 4536	3412	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe	89
PID 3412 wrote to memory of 4536	3412	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe	89
PID 4536 wrote to memory of 1576	4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp	100
PID 4536 wrote to memory of 1576	4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp	100
PID 4536 wrote to memory of 1576	4536	0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp	100

C:\Users\Admin\AppData\Local\Temp\0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\is-RCEFO.tmp\0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RCEFO.tmp\0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp" /SL5="$B0054,1407146,214016,C:\Users\Admin\AppData\Local\Temp\0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Program Files (x86)\basic-launcher-scite\Sc355.exe
    "C:\Program Files (x86)\basic-launcher-scite\Sc355.exe" "C:\Program Files (x86)\basic-launcher-scite\basiclauncher.bas"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\basic-launcher-scite\Sc355.exe

Filesize
750KB

MD5
47cd33a236a022504b5d2d5b2ceecb26

SHA1
fb3e058f428afbc00765069843fc02120a52bf41

SHA256
695fe3299469034356a45bd2ce854aa361b0beffca511f5a46cb606c19fef7fb

SHA512
66d615dc977ab7fb54e5c37b0d0f742378c84078e9eed25120e78cc3bb2dd7b96855e8f4c6fe5ae7547d96a8c3a4248a1fa243db7c2f9e9e410f7608d62bb6f5

Download Submit
C:\Program Files (x86)\basic-launcher-scite\SciTEGlobal.properties

Filesize
15KB

MD5
63729f492e322f5cb14378d23efd1071

SHA1
eafd4ccff03f2476c23ad9d1e5b828fb057bd42a

SHA256
58dd24368053e92064454502bdf4b6c6d1191a096dee8c5e396c73b585b94f10

SHA512
5c16734f390c1ca0fd9a79a9606f9cae9d7b6480f9e4abf98a497ccc8db4e41d63a019ceecff8ef05746956edc740c8fbc0d51d094653d66a610210b9d9b95f4

Download Submit
C:\Program Files (x86)\basic-launcher-scite\basiclauncher.bas

Filesize
2KB

MD5
355a4f057fd60b692722e72b695cd44a

SHA1
674f5673c0016bd24b29fc4b50a5ca46922a497b

SHA256
dd6f3f8d2a59f3d9f973c94378957880f233847e9be61a8760931b2f25eb1460

SHA512
35dbb4a12028f1d966cd681dbeac5b830812548f62d2a393cf9eabafa68f88ba2e68d14955079993f34cdf92634715f5365a85a5ca7decbe88957cabf583204c

Download Submit
C:\Program Files (x86)\basic-launcher-scite\vb.properties

Filesize
9KB

MD5
40eac7907b90e5d7425618312353a542

SHA1
a4716705a7af520f0d5475642ce793b15b08b617

SHA256
3b04e926bff97823ea635ad617526b5b06b48c68ad6de0b2bf1c3c1fa0f90585

SHA512
b4ab5ed1f4c59973d82533202e31615daf79bb0ac3df0b5e7018b80f398160abbc9e2c2c0e8201a77498537a541d27e955afe455b5218cabe81cf839d2d9b869

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RCEFO.tmp\0835366c0a5d665d1521c21eb6a799c7_JaffaCakes118.tmp

Filesize
845KB

MD5
de18910e6bfe9b3b0f5612122f3f26ba

SHA1
2a78b75a87a4bf8ebfba5471474b5c5b166b229d

SHA256
c1466adea5183028acd8e936b06ff3faa74f669917ad76ba623311ca75971ec7

SHA512
42ee45a01e718ff52e04cd438868f185e93b09ebd8f314d1033d160552b2ff3faa51f0772e3d71cb1bf4f80542aed3f19cb944a67801411df557b103dc6c3ee3

Download Submit
memory/1576-55-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/1576-47-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/3412-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3412-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3412-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3412-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4536-18-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4536-16-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4536-14-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4536-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4536-50-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4536-53-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing