3e2a192d497afd016d0ca3e7bbb6b319ae1a88be89f60a4f3411d6243ddceb36

General

Target

2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
Size

227KB
MD5

2d26ff8c55b926673524852520e77a4e
SHA1

7baefc1d929ecef7a9063775be4576fcf4d9cdc0
SHA256

3e2a192d497afd016d0ca3e7bbb6b319ae1a88be89f60a4f3411d6243ddceb36
SHA512

5e6ee837ff1ea3290562c8673f45787f88bb813614c77dfe39929746a7a26ffabbdc0f2697ed65435cbc8ad19b4e89acb610a0e8eb036eb1d342272425e6e01f
SSDEEP

6144:dfOpM5uMf/j/lSCq0wWCBY5y3aiAGWd573slDD0Ig:dmpM5t3nFCBY5dikLsVE

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ins4532.exe

Executes dropped EXE 2 IoCs

pid	Process
4028	ins4532.exe
5064	ins.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	ins.exe
File created	C:\Windows\assembly\Desktop.ini	ins.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-0-0x0000000000230000-0x000000000028D000-memory.dmp	upx
behavioral2/memory/1800-31-0x0000000000230000-0x000000000028D000-memory.dmp	upx
behavioral2/memory/1800-38-0x0000000000230000-0x000000000028D000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	ins.exe
File created	C:\Windows\assembly\Desktop.ini	ins.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ins.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ins.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5064	ins.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	ins.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5064	ins.exe
5064	ins.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4028	1800	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe	85
PID 1800 wrote to memory of 4028	1800	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe	85
PID 4028 wrote to memory of 5064	4028	ins4532.exe	88
PID 4028 wrote to memory of 5064	4028	ins4532.exe	88
PID 4028 wrote to memory of 5064	4028	ins4532.exe	88

C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe
  "C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe" ins.exe /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe
    "C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe" /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe

Filesize
254KB

MD5
473b7bc5d6fd58f3c86a29ff64035bad

SHA1
69a8bbb0ed0be2f66459030ccb77a6f8307d46f9

SHA256
107d940514fcd5cfe2e62d4e23357dd2eeef7543b082a4b959e11569aaf180b1

SHA512
2cb5c110c8e4aba59f3c6bed7b6dc4a4624538d906ad18be72e687f695ef825aad117457eab895c01295878dfe25e1b6b0ed25de29c6f1558e20ed6be3411d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe

Filesize
138KB

MD5
9543c7e436381a7853e8182a35152e38

SHA1
3e828372157a880edde5e5621a7888900d686d76

SHA256
1628a5b49145659ebddd692829fd2c067569452f85769ef831376b8bb36c6c26

SHA512
cd82be11ffa1c17eb95a110741ba1199b38da11aaf13a40dd7c9de8ec4fa7a56a48e718cd1a30cd4fa47000a757e62c0fff4285c0b0af21460b3ea986b1951e4

Download Submit
memory/1800-38-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/1800-0-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/1800-31-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/4028-13-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

Filesize
9.6MB

Download
memory/4028-14-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

Filesize
9.6MB

Download
memory/4028-32-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

Filesize
9.6MB

Download
memory/4028-33-0x00007FFC6E555000-0x00007FFC6E556000-memory.dmp

Filesize
4KB

Download
memory/4028-37-0x00007FFC6E2A0000-0x00007FFC6EC41000-memory.dmp

Filesize
9.6MB

Download
memory/4028-12-0x00007FFC6E555000-0x00007FFC6E556000-memory.dmp

Filesize
4KB

Download
memory/5064-26-0x0000000073DB2000-0x0000000073DB3000-memory.dmp

Filesize
4KB

Download
memory/5064-27-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/5064-28-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/5064-35-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing