9f89f4a5c89dbbaf63a637297270cd250206a41ecaf951838a7ca8bf80a4ff7f

General

Target

0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
Size

6.7MB
MD5

0b3129ec9cb34319c157c23e0b36f8f7
SHA1

c0c83f99ef27a322e8f0d480a994c475fd75daae
SHA256

9f89f4a5c89dbbaf63a637297270cd250206a41ecaf951838a7ca8bf80a4ff7f
SHA512

1238dcb2fbc78e5ee6158c705cc31100d353dcc1723760639c3fcbb5d56125e12ba0147d53db59f5435102b83d96ca7192c5bffede332c6656192d5e79a8a841
SSDEEP

196608:rJzEJEWcue+zXnEm1T4/t6279Bdf79eQuGYKaclcqr:1aEWcu7FTN2R7cQ/YK7cY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	asc-setup.tmp

Executes dropped EXE 3 IoCs

pid	Process
3892	asc-setup.exe
1300	asc-setup.tmp
4732	Aup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asc-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asc-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aup.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe
4732	Aup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3892	640	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	82
PID 640 wrote to memory of 3892	640	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	82
PID 640 wrote to memory of 3892	640	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	82
PID 3892 wrote to memory of 1300	3892	asc-setup.exe	83
PID 3892 wrote to memory of 1300	3892	asc-setup.exe	83
PID 3892 wrote to memory of 1300	3892	asc-setup.exe	83
PID 1300 wrote to memory of 4732	1300	asc-setup.tmp	84
PID 1300 wrote to memory of 4732	1300	asc-setup.tmp	84
PID 1300 wrote to memory of 4732	1300	asc-setup.tmp	84

C:\Users\Admin\AppData\Local\Temp\0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exe
  C:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\is-PQE5R.tmp\asc-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-PQE5R.tmp\asc-setup.tmp" /SL5="$A0052,6465748,158720,C:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\is-JRR5P.tmp\Aup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-JRR5P.tmp\Aup.exe" /upgrade
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-JRR5P.tmp\Aup.exe

Filesize
416KB

MD5
1d227476fa73d6d1ad23467c25fe036a

SHA1
3f2d40e4ef5d5c9cdc989e894ad71cdbaf1de3aa

SHA256
d2047d9d932fe48daf99ccf54323a236b16e881c74830d0d6c66ec0cd6614299

SHA512
f59da9bd09280f20e9cac75d70f81c286f5f9de1c2c155cc49cdde7415faef5e929e70da15cd8d16ab6d67ae400f0e8b1a8990b0108887e9b2077a369e11f985

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQE5R.tmp\asc-setup.tmp

Filesize
1.1MB

MD5
72a7ba5e9cc4e5e7b583735a83220712

SHA1
08c89a2d5c8c875b44e87a52659617879b8cc25d

SHA256
6fa7dfa86eb9eb7aadb851b0eee1ad3a6fde701e80b3fd4e838638f9df2f648a

SHA512
97a1bc0bbea270a99709ce82bd3bce2ec0b2b7120fae3d9315969abfeddf0ef6d9cf22befd165c4cd2022d837f8ce03616ee17b9080e294e4bef67e0aaabe6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exe

Filesize
6.7MB

MD5
d90ea525c94bc94bd0c65d366b6d61d9

SHA1
cf5cef61a6317fa4fdffb6732631c3dc9fdfb76a

SHA256
5e02992ab6c4424d3cbfec4ea51364ab3945264411e83ed1ead52967cfeb6c29

SHA512
eb7baf21d162d5096c7e959adf4bcf5df4c9ffa08107e9c44d8a6c5961fa738a9bc427af972543c7606b74bc7d74ef314122fbbb2d17121e3d3a2d5d0e1e0b0e

Download Submit
memory/1300-32-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-44-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-56-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-54-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-52-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-50-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-30-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-48-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-36-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-38-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-40-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-42-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-12-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1300-46-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3892-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-7-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4732-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4732-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing