d19d23b390f428315e86f41e6fee503652031966caf699ac8212380309067137

General

Target

1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
Size

563KB
MD5

1430b3943e267e84a88e8da33637d086
SHA1

2786953b7c6e471df8a34c46819694bf7e647157
SHA256

d19d23b390f428315e86f41e6fee503652031966caf699ac8212380309067137
SHA512

dfd1bbc987462c3c26e5894f84462b14a6c05666702bcc02234732fc566d4bf5dad517920b0c5abeb466c937cb528670dae741bc194fd3f618d984a7fe02a0a0
SSDEEP

12288:DV+mzHLrr5ueOO+8JA39ro8Y7OiiAvCjLLGfcXh691HHfa1W2:D8AuV8JAFol7MqCjLSfcxYi1D

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
2880	sclic.exe
4632	sclic1.exe
4504	sclic.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1.bat	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File opened for modification	C:\Windows\sclic.exe	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File opened for modification	C:\Windows\sclic.exe	sclic1.exe
File created	C:\Windows\sclic.exe	sclic1.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240623046	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File created	C:\Windows\1.vbs	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File opened for modification	C:\Windows\1.vbs	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File created	C:\Windows\1.bat	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File created	C:\Windows\sclic.exe	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
File created	C:\Windows\sclic1.exe	cmd.exe
File opened for modification	C:\Windows\sclic1.exe	cmd.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4972	sc.exe
5096	sc.exe
3828	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sclic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sclic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sclic1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2880	sclic.exe
4504	sclic.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4504	sclic.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4720	4064	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe	82
PID 4064 wrote to memory of 4720	4064	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe	82
PID 4064 wrote to memory of 4720	4064	1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe	82
PID 4720 wrote to memory of 3996	4720	WScript.exe	83
PID 4720 wrote to memory of 3996	4720	WScript.exe	83
PID 4720 wrote to memory of 3996	4720	WScript.exe	83
PID 3996 wrote to memory of 4972	3996	cmd.exe	85
PID 3996 wrote to memory of 4972	3996	cmd.exe	85
PID 3996 wrote to memory of 4972	3996	cmd.exe	85
PID 3996 wrote to memory of 5096	3996	cmd.exe	86
PID 3996 wrote to memory of 5096	3996	cmd.exe	86
PID 3996 wrote to memory of 5096	3996	cmd.exe	86
PID 3996 wrote to memory of 3828	3996	cmd.exe	87
PID 3996 wrote to memory of 3828	3996	cmd.exe	87
PID 3996 wrote to memory of 3828	3996	cmd.exe	87
PID 3996 wrote to memory of 4632	3996	cmd.exe	97
PID 3996 wrote to memory of 4632	3996	cmd.exe	97
PID 3996 wrote to memory of 4632	3996	cmd.exe	97
PID 4632 wrote to memory of 4504	4632	sclic1.exe	99
PID 4632 wrote to memory of 4504	4632	sclic1.exe	99
PID 4632 wrote to memory of 4504	4632	sclic1.exe	99

C:\Users\Admin\AppData\Local\Temp\1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1430b3943e267e84a88e8da33637d086_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\1.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c 1.bat
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\sc.exe
      sc create sclic binpath= C:\Windows\sclic.exe type= interact type= own start= auto DisplayName= "Windows Firewall"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4972
  - - C:\Windows\SysWOW64\sc.exe
      sc description sclic "╕·╫┘╧╡═│╩┬╝■ú¼╚τ╡╟┬╝ Windowsú¼═°┬τ╥╘╝░╡τ╘┤╩┬╝■╡╚íú"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5096
  - - C:\Windows\SysWOW64\sc.exe
      sc start sclic
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3828
  - - C:\Windows\sclic1.exe
      sclic1.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\sclic.exe
        
        C:\Windows\sclic.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4504

C:\Windows\sclic.exe
C:\Windows\sclic.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1.bat

Filesize
308B

MD5
015f6dc00723b6f318ff74e430bf58ba

SHA1
ee0e5e1ae82b58c73ec7599a6ae2ec9526a1ff9c

SHA256
74f009e9743aa36690e6d1f8bbf7ab9049564cd9642e950046adfb6bfd02c123

SHA512
7ec5983d6a6b46aca3d63a1bdc0f7e640692f772aaf3c2674e83b50fab4c78e93f76011422394539b3120238600771cce6e40f4e4021a804d571c8d4b4ffebf3

Download Submit
C:\Windows\1.vbs

Filesize
70B

MD5
03af6f8727b0f31f2a6fa0e553c3eea5

SHA1
65d7a1db8adbbb3fed6885d0921220c3c6eae51d

SHA256
0265dd539101782974e766576ce993f6c307c1c3fe77b5b5e14ab6492b7f6721

SHA512
eaadacbc138bcf23b8764af50d2198453092c83e704b50cdeb6863eaddbbc62857539365bd7a58b67e14a3e3a1a4298f0ef95069540bb9704d8b08b3a0ef169f

Download Submit
C:\Windows\sclic.exe

Filesize
508KB

MD5
a20023c0dcca59fc4403966e39bc12c7

SHA1
427705219288305efa14a1eaef557384b7267ac3

SHA256
81cf89b1e7d455bf7d66770503ae1b131db0b518ff7bbf53c7f2c8ae93b177dd

SHA512
9555a06142817fbe96bb6547eb93bed0e1522582a95f51c63f8fcc0ca0fbef39a93ba65bdbcefc44c91b32fde77dd7a6ddf0964e24ed47cbc8296edc771a0336

Download Submit
memory/2880-14-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2880-15-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2880-16-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2880-17-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2880-19-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2880-21-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2880-22-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2880-23-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/4064-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4504-42-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4504-38-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/4504-39-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4504-40-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4504-47-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4504-48-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4632-30-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4632-33-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4632-31-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4632-29-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/4632-28-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4632-46-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4632-44-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing