d93bdd46966fc445cbd034548bdbb547ea4e499a7ac0eb0db04b76b13bf04fd9

General

Target

0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
Size

1.7MB
MD5

0acba0ac120021257125a88dbc2cdd50
SHA1

99b7514d72734db709c489604f6d30ee5ffff463
SHA256

d93bdd46966fc445cbd034548bdbb547ea4e499a7ac0eb0db04b76b13bf04fd9
SHA512

4314c323d3d7743970bf8477d827ee6a8a3c51cd839b2fdf28eef4e34a73efd04687e2b0a82031e08165232113c2ce0828daa537ebbc1a8766d1c7305f97158c
SSDEEP

49152:OZhpafFU8w7Yy2g8+vkJSk1mUlE4M8z4wNCW:Or8f68w7d2P+uSsmUltmwY

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	STO.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	STO.exe

Loads dropped DLL 4 IoCs

pid	Process
3328	STO.exe
3328	STO.exe
4172	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
4172	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\STO Start = "C:\\Windows\\SysWOW64\\AMFOLL\\STO.exe"	STO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AMFOLL\AKV.exe	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\AMFOLL\	STO.exe
File created	C:\Windows\SysWOW64\AMFOLL\STO.exe	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AMFOLL\STO.004	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AMFOLL\STO.001	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AMFOLL\STO.002	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3328	STO.exe
Token: SeIncBasePriorityPrivilege	3328	STO.exe
Token: SeIncBasePriorityPrivilege	3328	STO.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3328	STO.exe
3328	STO.exe
3328	STO.exe
3328	STO.exe
2560	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 3328	4172	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe	84
PID 4172 wrote to memory of 3328	4172	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe	84
PID 4172 wrote to memory of 3328	4172	0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe	84
PID 3328 wrote to memory of 3980	3328	STO.exe	95
PID 3328 wrote to memory of 3980	3328	STO.exe	95
PID 3328 wrote to memory of 3980	3328	STO.exe	95

C:\Users\Admin\AppData\Local\Temp\0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\AMFOLL\STO.exe
  "C:\Windows\system32\AMFOLL\STO.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AMFOLL\STO.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AMFOLL\AKV.exe

Filesize
513KB

MD5
1c95c9f7854cb32731f65e0f234c6e31

SHA1
21418b452de2fc68fadcafa6db8e5dfcedbb0a8a

SHA256
8c0cf83d1f1409229e75b841aa9149779e9e6b341a5b7073bea304c0dc26fe27

SHA512
b7facbfd5b2e7a9d2a6ddc933ff8956b99f55a7c94957bdea6e2d80498c65569a7b74f9f75941869646557153ccd420864266c8bb856948ac7e00fc43c6eb802

Download Submit
C:\Windows\SysWOW64\AMFOLL\STO.001

Filesize
78KB

MD5
92711372be36753e32f8f405642f3c94

SHA1
87d93095e049f45777ec696d152a56e888569001

SHA256
8fe11d43d7a1a6b5aa730d10886cf7dbebd8855c8f1aecc848e7172e3997d8b9

SHA512
1100b47b236c635647d7fcd9023745b14bb512be816c8bd3c1d872549e01822a9bd3960ad774c628601dfdb36b1f99a194707560a55e32a9e68145baeb4b5676

Download Submit
C:\Windows\SysWOW64\AMFOLL\STO.002

Filesize
55KB

MD5
e4a425e8d87b40406ff973d1a7d43429

SHA1
933417e0c7896c482529c308d0315b78f5a7f1f8

SHA256
cd01a5dc2415ea267529ec99c6f296642f7262f84e80cac7033d16bc7781a39e

SHA512
368ea7e419e01515a492d7c20482a161f74644b0ea09ada9e2950134d64ccc4956a0d7d2dd393a7b1fd3df0f3df1ca8ef947ae58d9b4abbc8770f204fb33c6e5

Download Submit
C:\Windows\SysWOW64\AMFOLL\STO.004

Filesize
1KB

MD5
6f6ca93db8939bd4123427b457e528cf

SHA1
cea25e416d51bf59aa824f84d385bba6438205c4

SHA256
fae3d787c7b5e6c656848441430840a224295ce8c2d549697651500ad3caa311

SHA512
5322dbd09961a271be79bb3c5002d6cc713605682a55462d1df3e29f998f392ce607f2d1f7cd47df7554dacfb89e51705a63eb301426767c7c9bb8e4711f531c

Download Submit
C:\Windows\SysWOW64\AMFOLL\STO.exe

Filesize
1.7MB

MD5
b910f5d24e399a13f6aae20535ac05b4

SHA1
d062f168245e353da3ad3c2b68e830333f9f1373

SHA256
046c39b67b6c83fec1ac111357e4d61340f02a6c90a32bf34e05cfeefb2c74e7

SHA512
1677aae44c8ce1d447524543e252f59247c97b8d4d87a3818a7f70d7ec3c788fa97ac4bbe406c1b0a450383a515cb003e390de6baba2d167505850ed6d183274

Download Submit
memory/3328-23-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3328-22-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3328-17-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3328-26-0x0000000000C20000-0x0000000000C38000-memory.dmp

Filesize
96KB

Download
memory/3328-31-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3328-32-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4172-0-0x0000000000701000-0x0000000000702000-memory.dmp

Filesize
4KB

Download
memory/4172-6-0x0000000000700000-0x00000000008B1000-memory.dmp

Filesize
1.7MB

Download
memory/4172-1-0x0000000000700000-0x00000000008B1000-memory.dmp

Filesize
1.7MB

Download
memory/4172-29-0x0000000003020000-0x0000000003038000-memory.dmp

Filesize
96KB

Download
memory/4172-30-0x0000000000700000-0x00000000008B1000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads