a4683441c5224e36ff617323acf9f627e5717a41ff3584f7bceec7b0680ea96f

General

Target

138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
Size

161KB
MD5

138b8238e0799c627e8c240e22a2c1c0
SHA1

931f8255401256c88b0494699443caab8c01ae65
SHA256

a4683441c5224e36ff617323acf9f627e5717a41ff3584f7bceec7b0680ea96f
SHA512

4d346959a1faa4ce30d46475fd5b3c6e0423ebdc4efef777d1df545b7b669f103e8d2f312cd8e1d6042ca8e6d7f4c43c608e039f54c64bab3d86d77fa75df616
SSDEEP

3072:FYP2XerzhOUxu/XUtauF8iJkZPB6jQxwv8YC5z41LND:Fu2urzh9xu/XkauF5JgPB68xvF5zel

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Erkslfa.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dotop.nlp	Erkslfa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dotop.nlp	Erkslfa.exe

Executes dropped EXE 1 IoCs

pid	Process
3652	Erkslfa.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Erkslfa.exe	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\nlp.reg	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\TKLobby.ico	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\windows\Dotop.nlp	Erkslfa.exe
File created	C:\Windows\TKLobby.ico	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240620796	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\Windows\config.ini	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\config.ini	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\Erkslfa.exe	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\Windows\nlp.reg	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Erkslfa.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellNew	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3792	regedit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3652	3508	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	82
PID 3508 wrote to memory of 3652	3508	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	82
PID 3508 wrote to memory of 3652	3508	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	82
PID 3652 wrote to memory of 3792	3652	Erkslfa.exe	84
PID 3652 wrote to memory of 3792	3652	Erkslfa.exe	84
PID 3652 wrote to memory of 3792	3652	Erkslfa.exe	84

C:\Users\Admin\AppData\Local\Temp\138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508
- C:\windows\Erkslfa.exe
  "C:\windows\Erkslfa.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s C:\windows\nlp.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Dotop.nlp

Filesize
1KB

MD5
44de70b8074d5866409b93f8d5f4c2b2

SHA1
2c53c1acf75dfdf409babe4e396b307fbe49646e

SHA256
c761a5a9e8962f097718b5e10f353b8b88c9def8c67a39a2436ed7c301791a72

SHA512
53d285c37fb3676235dbafccf40e7521def9bc1783555a4a5dc66a6af6bca251db739bbae232aa530b3e90028c188cac394dafbe3a4545e8e51aab0544135818

Download Submit
C:\Windows\Erkslfa.exe

Filesize
178KB

MD5
c5be0c0f188a5fb75928baba0f046655

SHA1
4b531d58d691ede8004f0dc3cc60c5188d0005b5

SHA256
8f8fecdf1c66eb0da8d3e1163247f1880ed285c33afc005e12b5a4985b5b82c4

SHA512
2d2c87a265e7a6ba3e24b26f523fbf23f16a50bf40e45b6779707923380f5b484e5ff19876a791156727b2e5167241cd3c415f8074543a93d42f675415180600

Download Submit
C:\Windows\nlp.reg

Filesize
1KB

MD5
03c8bdd1de2c4b9a1d3e633c2291cabd

SHA1
d263605f8f6eaa1c067b1e0d0ecb9d3acdd056b7

SHA256
fa1425b7727b215c37a93f9664ff23a6d7d00cf51159c3be76a032df1bbbcf2e

SHA512
2fd3524524852d12acace07d7028893c4378c8dfbc9fcf56ea0a093a239335d66afccb122566fe0505daf14d0ff3aecc813a55f177447614460277d04860afb8

Download Submit
C:\windows\config.ini

Filesize
67B

MD5
ead556dc96909485693a8c5107e73022

SHA1
ce9e160d9021f2145649d1ab10ece994bff0ec95

SHA256
7b6a76e442e22915915b0e85c9fb75cff7a065b2dceab33467e00a146c0a2c71

SHA512
f1d1347e0c780e8b808f6ec0b3e0930aca6a253aad3578370368aa44c6883b11382fec9a7347832b129d8382cb44589d32311cf6309aa8c613fbaf7d89228c6a

Download Submit
memory/3652-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3652-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing