032e802224e18781774bc0b22a90dffa707444de1bfd8d89b0874cb8c90dac1e

General

Target

2db48645076f59538f54328edcf6587b_JaffaCakes118.exe
Size

434KB
MD5

2db48645076f59538f54328edcf6587b
SHA1

bcafa7aec034aacc52dfc7227a3a5c5060a55d49
SHA256

032e802224e18781774bc0b22a90dffa707444de1bfd8d89b0874cb8c90dac1e
SHA512

7ec800801ee6413d0d27cebdb2a89f5af77398c419a4dfa5df222be5eeefb23d5cfb68bb95f5f912bced9d08c71b92ed03a26e14c45e3099b6248fe54686c30a
SSDEEP

6144:Gb0muyxIN0CSq4O0WUPgjWrIwmn4SdGrDFKugYjYJDCfA/iXdBbHlRv+Flyg:m0xy+N0CSqNtUDrIdxdwCYjo/EBn+jf

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
324	setup.exe
2988	ÊñÃÅÐ¡µ±¼Ò1.0.exe
4244	services.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "C:\\WINDOWS\\system\\services.exe"	services.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system\services.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÊñÃÅÐ¡µ±¼Ò1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2988	ÊñÃÅÐ¡µ±¼Ò1.0.exe
2988	ÊñÃÅÐ¡µ±¼Ò1.0.exe
324	setup.exe
4244	services.exe
4244	services.exe
4244	services.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 324	4356	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe	86
PID 4356 wrote to memory of 324	4356	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe	86
PID 4356 wrote to memory of 324	4356	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe	86
PID 4356 wrote to memory of 2988	4356	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe	87
PID 4356 wrote to memory of 2988	4356	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe	87
PID 4356 wrote to memory of 2988	4356	2db48645076f59538f54328edcf6587b_JaffaCakes118.exe	87
PID 324 wrote to memory of 4244	324	setup.exe	88
PID 324 wrote to memory of 4244	324	setup.exe	88
PID 324 wrote to memory of 4244	324	setup.exe	88
PID 324 wrote to memory of 2344	324	setup.exe	89
PID 324 wrote to memory of 2344	324	setup.exe	89
PID 324 wrote to memory of 2344	324	setup.exe	89

C:\Users\Admin\AppData\Local\Temp\2db48645076f59538f54328edcf6587b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2db48645076f59538f54328edcf6587b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\WINDOWS\system\services.exe
    C:\WINDOWS\system\services.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 1.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- C:\Users\Admin\AppData\Local\Temp\ÊñÃÅÐ¡µ±¼Ò1.0.exe
  "C:\Users\Admin\AppData\Local\Temp\ÊñÃÅÐ¡µ±¼Ò1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
129B

MD5
aa08456f612cf183111acee888b89794

SHA1
1d7ca8d9ba72bd14b036008c82647d224f828a75

SHA256
ef35a0b6743ac07993f0baa51d04be03f16eac8fafa9b401768bfed03cfc8e8e

SHA512
5d590ce15e15797dec43c6d205fdc207f345bb64b2583dedeb29b97f7cc3433c8e21d6c067573f8185482b0d3846363cbf9e198d43261a879ba7857d45c24824

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
11KB

MD5
6a65cc3d735631721fb70331dda8d3c3

SHA1
b22ce01f38c2a2383340e58cf67eecee022a6218

SHA256
0509cbe7cc7fcbf771cfdb7af29b98e7dd79caad76e48be4e35b98ae9b21a134

SHA512
48ade865f14a6eff062ae87fd7398c3f7501c5a687c74660d2266aec41c3d08995bbd4f6de29a7ed9a17e2a31e6fd40904dba66cc59bba56d15b2475781049d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÊñÃÅÐ¡µ±¼Ò1.0.exe

Filesize
24KB

MD5
2160838bcd691128ffec2d9949050441

SHA1
21ec3c9a3bdab7332535844b4d3483985f18cd01

SHA256
56566660c12da695585e0c02a0fd90aa5eb210f36e3f473d3bfbf637a0604b5e

SHA512
3aec8eeeab1e309233243367e83e25d0132d9bf84c3fd5e261295cfba9f099695f2bc63d5e456bfe7fcf395cb91dfe985fce4f14fe22c540eb537bbdfcfe3ebb

Download Submit
memory/324-14-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/324-37-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4244-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4356-0-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4356-24-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads