633ba8378b3da5a72ca6898eb52bc26856edabcea495dedfb1e8892af6331549

General

Target

12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
Size

411KB
MD5

12386d9ebbbb538cb5ac24efea419bc1
SHA1

860b0af11a34e4c553cd76ec4a9fc8107b33f4be
SHA256

633ba8378b3da5a72ca6898eb52bc26856edabcea495dedfb1e8892af6331549
SHA512

7f79d8d4c912db6eef9f7159b89de907dd7181bec147cda74f68e383f96c5df64bf6e65020488bdc19dbe64578f8bf30e6e49bc237419d4b0613e54c752a538d
SSDEEP

6144:f1dlZro5yZg/NtgxAprfeOJMu+Ip7KMHra+vGJE/9uj8o2brSfRqW07S5EYPj:f1dlZo5yZgvx/VztN/vAWABRx0UlPj

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3988	ahmed12.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Extracted\ahmed12.exe	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
File created	C:\Windows\Extracted\taher 2010.jpg	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
File opened for modification	C:\Windows\Extracted\¾“ëý=RvrQ¿aÿ	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahmed12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3756	dw20.exe
Token: SeBackupPrivilege	3756	dw20.exe
Token: SeBackupPrivilege	3756	dw20.exe
Token: SeBackupPrivilege	3756	dw20.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3988	4456	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	85
PID 4456 wrote to memory of 3988	4456	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	85
PID 4456 wrote to memory of 3988	4456	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	85
PID 3988 wrote to memory of 3756	3988	ahmed12.exe	88
PID 3988 wrote to memory of 3756	3988	ahmed12.exe	88
PID 3988 wrote to memory of 3756	3988	ahmed12.exe	88

C:\Users\Admin\AppData\Local\Temp\12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\Extracted\ahmed12.exe
  "C:\Windows\Extracted\ahmed12.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1508
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
224B

MD5
2e78e0a6b384054e8043537dfceeec82

SHA1
b583f681e60118c9dec7a81bad4833f6f20a6262

SHA256
304a2f26b747df9a566cae5470c8f6caf6f28e5001d3bdbc6976d0477d76af17

SHA512
7424b8fd1ed403cbe8646a94dea0c4ba14cb71af579504e7c9598e31a5bce8bc832e047fee5f5e0a151ce2c909163cc79681c0d2ba0ab7b163171a16446eefaf

Download Submit
C:\Windows\Extracted\ahmed12.exe

Filesize
6KB

MD5
f617719d62d8b31b95ce17c369e20c67

SHA1
4c180a25c75b8c096d2933b19831391f0413606e

SHA256
c745c4a6353a28be89fc224692ebee37f60bf340b4ad4396c14e19f76588068c

SHA512
8a988dabc53cfcf98a5e253b7f7b0a4b1bd6ae52099a30d56bd6949d5597e8eaf2d59a5f81ce078d5667bf5bf36f79af82a57f1a1e427133c8548eda337420ad

Download Submit
memory/3988-28-0x0000000073F22000-0x0000000073F23000-memory.dmp

Filesize
4KB

Download
memory/3988-29-0x0000000073F20000-0x00000000744D1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-30-0x0000000073F20000-0x00000000744D1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-37-0x0000000073F20000-0x00000000744D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads