0d3c474dfe9e8e5b9a112772ef090a0266ed3fdc93f295bd8edae2134ac0bbfd

General

Target

41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe
Size

269KB
MD5

41321fec380fbae3cfe299575f1e706f
SHA1

85ecf06362236aa83de0018a53b5293e4aa24e42
SHA256

0d3c474dfe9e8e5b9a112772ef090a0266ed3fdc93f295bd8edae2134ac0bbfd
SHA512

8e80ae3ae71224d27a6eb1b98fde8957f8e53530099fc276816f6006282b745c7ab5d9da35e611059412df77baa688b6435acf54de889dfc4e06326eb7a0a813
SSDEEP

6144:nsaocyLCLS9J7JzRSfhdaNCkppSgraW88gPBCN3ivSkbk/SHBsnht/NdJqE:ntoboU7JEf+TpNrtmPBCN3Xr1/h

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	installer5.exe

Executes dropped EXE 2 IoCs

pid	Process
400	installer5.exe
3984	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Loads dropped DLL 1 IoCs

pid	Process
4928	41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	installer5.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer5.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	installer5.exe
File created	C:\Windows\assembly\Desktop.ini	installer5.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	installer5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	installer5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	installer5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3984	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3984	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
3984	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 400	4928	41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe	85
PID 4928 wrote to memory of 400	4928	41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe	85
PID 4928 wrote to memory of 400	4928	41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe	85
PID 400 wrote to memory of 3984	400	installer5.exe	88
PID 400 wrote to memory of 3984	400	installer5.exe	88
PID 400 wrote to memory of 3984	400	installer5.exe	88

C:\Users\Admin\AppData\Local\Temp\41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\installer5.exe
  C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\installer5.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /t /dT132042019S /e6464533 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /t /dT132042019S /e6464533 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
248KB

MD5
22371a8f60488d167c752cf965f25237

SHA1
2119a78137f0188003fc312a02b12d2b842a2ef5

SHA256
e522bbb4e53e1fe3d4d4e3a8dc925d96afe02b1e50b604ef8e2a6abf194120ac

SHA512
3dcda9a228eea334726f3b621cbda96440f4434bb0e7fe36bd40a082aa6ab2d284fb8c61e7e10770aeb4c4968ac3711cb257d2b559643ed883886b64f49946d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\installer5.exe

Filesize
215KB

MD5
029162f299af12e48fc5ffde104766e2

SHA1
467b9336af5aec76cbb548ece146cd2d7b4e1264

SHA256
28e778a7e5f91d27cf37e7ed8624adb8e9f33d7d12d64ed6420b5345052591b0

SHA512
fa522ef2364e5a31c119993d8057a3337bffdb7ce259b810efeb59e105885c8ca75086e1d568121600a919ad160e3be2667486ab56de7e7393df8d895293863c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/400-47-0x0000000073FC2000-0x0000000073FC3000-memory.dmp

Filesize
4KB

Download
memory/400-9-0x0000000073FC2000-0x0000000073FC3000-memory.dmp

Filesize
4KB

Download
memory/400-10-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/400-11-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/400-52-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/400-48-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/3984-43-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/3984-46-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/3984-45-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/3984-50-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/3984-44-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/4928-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing