f5b6d7f6712162ade636e5f7f991751caf218d11791ae2b6c2f0dd9aa22d9b88

General

Target

383c345894c5b8287384384e04483c4d_JaffaCakes118.exe
Size

2.7MB
MD5

383c345894c5b8287384384e04483c4d
SHA1

5177d6054ef9845e4cbe63e1787cb5af634ca625
SHA256

f5b6d7f6712162ade636e5f7f991751caf218d11791ae2b6c2f0dd9aa22d9b88
SHA512

81041ff3605d0f00d672ba6b3dd196b61f424eb6a6f3c791badace4049dd0a4cde93771da5264a778db033897c4a4d3ef9a9c5bc5a31baadfb3bc14766e45d96
SSDEEP

49152:zVjoOHxjQIPIvMVGJKhrkCjNObMhGF6CIIABlTvw++asBjXGRiqeVnj5SOvy:zVjoEQIwUVGUrmwKIzw++lRnRdSCy

Score

7^/10

discovery upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	archstart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	archstart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3440	archstart.exe
4636	archstart.exe

Loads dropped DLL 4 IoCs

pid	Process
1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe
1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe
1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe
1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023ca0-78.dat	upx
behavioral2/memory/3440-89-0x0000000000400000-0x000000000062C000-memory.dmp	upx
behavioral2/memory/3440-104-0x0000000000400000-0x000000000062C000-memory.dmp	upx
behavioral2/memory/4636-103-0x0000000000400000-0x000000000062C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	4636	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	archstart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	archstart.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3440	1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe	86
PID 1940 wrote to memory of 3440	1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe	86
PID 1940 wrote to memory of 3440	1940	383c345894c5b8287384384e04483c4d_JaffaCakes118.exe	86
PID 3440 wrote to memory of 4636	3440	archstart.exe	87
PID 3440 wrote to memory of 4636	3440	archstart.exe	87
PID 3440 wrote to memory of 4636	3440	archstart.exe	87

C:\Users\Admin\AppData\Local\Temp\383c345894c5b8287384384e04483c4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\383c345894c5b8287384384e04483c4d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Roaming\archsoft\archstart.exe
  "C:\Users\Admin\AppData\Roaming\archsoft\archstart.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Users\Admin\AppData\Roaming\archsoft\archstart.exe
    "C:\Users\Admin\AppData\Roaming\archsoft\archstart.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1040
      4⤵
      Program crash
      PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4636 -ip 4636
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\Release.dll

Filesize
7KB

MD5
5874a956265228dfcc2e4912239c4b2d

SHA1
14d69085f5bf01ee83f3208092d335d26242cff3

SHA256
ec22ab6cdc867170436f8467676e2f535616dcd7d5155f50a079e76eaed4afbb

SHA512
f79fac95d3c558a36007f297f6da7718764a2aa7f7c7b2674b5fbf7f943da9813ae6edda42012f593fbcf08cba8b321ca8d377e1654fd7d5ed1e740c27b2d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\archsoft\_todel5.png

Filesize
277B

MD5
7ff178f83f1ee1bd4309b80a82c09698

SHA1
508fc15af86d27e93085cdc0256cf76ac8d4ad9c

SHA256
ac01f2290c1d09eb546f182ac8f58f4933782d3b9e6653fb32f4454eee853bc9

SHA512
0e7a9a271241ae3d99adcc05891a8f0d04fa49d4e9cbaa566e6e4ab921be24b53ccb1dd7b64a9c4069498e2c39caedde21d57b6965ee4b44f5f5cf146631461b

Download Submit
C:\Users\Admin\AppData\Roaming\archsoft\archstart.exe

Filesize
1.4MB

MD5
33c0bbb21db074a3577ebb5a0cce087f

SHA1
f6a57bf37fda450b824f99e6a0ed4c307474c645

SHA256
4ec9bb790c966051b980c397ea98ae3b128fd6e5b7bfb26d7c46a9c1a835beb8

SHA512
d5c73f725d5952e08454568d11ef90077ce0aec018537b1d2ef819305cb2676f2c6681561f482eb48b8d18639765ffc620b29ca15e2461c160da88eb367ab013

Download Submit
memory/3440-89-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/3440-104-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/4636-93-0x0000000002380000-0x0000000002485000-memory.dmp

Filesize
1.0MB

Download
memory/4636-99-0x0000000002380000-0x0000000002485000-memory.dmp

Filesize
1.0MB

Download
memory/4636-101-0x0000000002380000-0x0000000002485000-memory.dmp

Filesize
1.0MB

Download
memory/4636-102-0x0000000002380000-0x0000000002485000-memory.dmp

Filesize
1.0MB

Download
memory/4636-103-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads