930637d070ef2c085dee39591e9ef6f61b0bf92c0c8d851dfa5ea33e03462cba

General

Target

433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
Size

64KB
MD5

433dec19a3092cad1d9ab9f22fede0aa
SHA1

22987372b4e3e0dd82490430e74c23669c719731
SHA256

930637d070ef2c085dee39591e9ef6f61b0bf92c0c8d851dfa5ea33e03462cba
SHA512

b4191510de2c44923ab5881d78da9a595732ca3d7e7b25b561d035b24569dbe8629d91f1a1ede43fb58b749a2619940efa09dd83aebbb34f4147ba7973c48552
SSDEEP

1536:mwtp3nq8LXk/4g2fOG9HDvSvICqBMvA94DK4tbwgvX:D3lYIOyjKvIvBstDHVwA

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b96-5.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4156	rundll32.exe
4156	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\myAddr.dat	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doansm.log	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\22354.dll	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc_my.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sfc_my.dll	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/116-4-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-5.dat	upx
behavioral2/memory/4156-7-0x0000000010000000-0x0000000010104000-memory.dmp	upx
behavioral2/memory/4156-12-0x0000000010000000-0x0000000010104000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4480	4156	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4156	116	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe	88
PID 116 wrote to memory of 4156	116	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe	88
PID 116 wrote to memory of 4156	116	433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe	88
PID 4156 wrote to memory of 2144	4156	rundll32.exe	90
PID 4156 wrote to memory of 2144	4156	rundll32.exe	90
PID 4156 wrote to memory of 2144	4156	rundll32.exe	90

C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" 22354.dll,myImeInit C:\Users\Admin\AppData\Local\Temp\433dec19a3092cad1d9ab9f22fede0aa_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\sfc.exe
    "C:\Windows\system32\sfc.exe" /REVERT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1248
    3⤵
    - Program crash
    PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4156 -ip 4156
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\22354.dll

Filesize
22KB

MD5
4970fabaacf313ba47c69a80ed15fe71

SHA1
512ab4d130e25e2659032c582028c3f5b0d31aef

SHA256
d88831cde6c76c62e4519db584f73274f8d6cd9e4ab2312734603cd5d8e89c96

SHA512
b8f061c2368f8861298048f35ec53d868b2d4f104a9b482b7bc64c9803b0d22eff284c993c96fd0f107930e214026676acccfae0863e0270a83480ce88024901

Download Submit
C:\Windows\SysWOW64\sfc_my.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
memory/116-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/116-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4156-7-0x0000000010000000-0x0000000010104000-memory.dmp

Filesize
1.0MB

Download
memory/4156-12-0x0000000010000000-0x0000000010104000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads