013d9902e74c6a2e2c9830361d00dca773bf28e5db7f22eb5618b02e2ffcb646

General

Target

464d0df40e812b559193270a015096de_JaffaCakes118.exe
Size

228KB
MD5

464d0df40e812b559193270a015096de
SHA1

c99b6aef26c3d2dbb757ae9f059ccfa94e60908a
SHA256

013d9902e74c6a2e2c9830361d00dca773bf28e5db7f22eb5618b02e2ffcb646
SHA512

f1dc26eda36d83fa633c0671695ae033438dd17e878321c0aedb0189bafcec9e297578ee24507937d5e97a8b268b1ef93ee86d9781d0ad3149da88f1003035d0
SSDEEP

6144:GclnqLykWN4Sl52tIbWeA+Slppx7wVANJmc:GAnqLybcIytPw

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	464d0df40e812b559193270a015096de_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\464d0df40e812b559193270a015096de_JaffaCakes118.exe	609991.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\464d0df40e812b559193270a015096de_JaffaCakes118.exe	609991.exe

Executes dropped EXE 2 IoCs

pid	Process
1196	RES.exe
4832	609991.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	464d0df40e812b559193270a015096de_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	464d0df40e812b559193270a015096de_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	464d0df40e812b559193270a015096de_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	464d0df40e812b559193270a015096de_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	464d0df40e812b559193270a015096de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	464d0df40e812b559193270a015096de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	609991.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 1196	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	87
PID 2284 wrote to memory of 3396	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	88
PID 2284 wrote to memory of 3396	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	88
PID 2284 wrote to memory of 3396	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	88
PID 3396 wrote to memory of 2720	3396	vbc.exe	90
PID 3396 wrote to memory of 2720	3396	vbc.exe	90
PID 3396 wrote to memory of 2720	3396	vbc.exe	90
PID 2284 wrote to memory of 4832	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	95
PID 2284 wrote to memory of 4832	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	95
PID 2284 wrote to memory of 4832	2284	464d0df40e812b559193270a015096de_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\464d0df40e812b559193270a015096de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\464d0df40e812b559193270a015096de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Roaming\RES.exe
  C:\Users\Admin\AppData\Roaming\RES.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ze2tlivk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F426BCF196A40F387F468A71354A1C5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Users\Admin\AppData\Roaming\609991.exe
  "C:\Users\Admin\AppData\Roaming\609991.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES81C3.tmp

Filesize
1KB

MD5
c8be745aca00d3a0c4d28237fea77e2d

SHA1
75f03b8d756a77682c42f86fa0e87b8a0c545e79

SHA256
b15e6d056a1815c9970e6d9f329089648359c3c246464a044ba5fe0a5b8e4b7f

SHA512
f1c3c1ab883c9c852ce55982dcd548aacf54bfb54ea6d67af9058c11b224057bb887ccb3b7d78393df13bc1060c46c0df79dab9cbf6d140aa9d9fe1b94391202

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F426BCF196A40F387F468A71354A1C5.TMP

Filesize
880B

MD5
1ef295eb1d4f2085f3ea32397646093d

SHA1
7a564e5ecc6109d807628a1031956062965aaefe

SHA256
1867f45e2e230c0620ecba417eb1d8d792ac290d5fd4a9774a3ba6d2fcc1a371

SHA512
6ccded7209f69deb689f6dadbbb30c346f9676db33427e4f6de7b3b58a1e0e43d594a63f2ea90616982c26a171d98f5657779a828d90fbe1c82abe5a2927ca30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze2tlivk.0.vb

Filesize
1KB

MD5
0d2dc18fd7699d6c620bd10bf7c899f8

SHA1
14556f275f7ccdc4d9135fa6e433e139ffb94889

SHA256
ee175378dc736ed88cdee2a2429599b919eaa0a5b4d73817e71cec3fa2efa62d

SHA512
710f3ce23679713644ae527edb1fd34642eb080b41b6fa8bf42e3a1d6305799c6e2e6c5f1ffcd97dd8e400cacbe68cc5c4d94b4341fd3d28fc36601509bce296

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze2tlivk.cmdline

Filesize
234B

MD5
4d845c7911a51a4ab36aa80a2a445071

SHA1
a148253938f0298ccb8aeb799e922cce977f5808

SHA256
9ab5e41a1e4e5149af7441613602f1ce38257cb9e6505670fa7d8203299c6587

SHA512
35b6e8dd91f7a97e430bbcbb7b0e1acf61c76ec2dabbdb896cbbda473dca089d688d3486f4953bf707e8b44e98e18fe4911146f6918fcd221800dc13ba0ca6b3

Download Submit
C:\Users\Admin\AppData\Roaming\609991.exe

Filesize
7KB

MD5
af84d31e354613599bd535a0631150b8

SHA1
40d847f70142fac3e04368baa428a09326626e85

SHA256
0cd057847ce054f1bede6a589f7850529c5684d404c11e7ff5bc00ccb987a049

SHA512
87893a80fd81633101b7b103e06bc469266e0aa2fbb3b38abfd26298b6a9218a0357198af37160daca9083a0fed48055001418fbca5eb17678e7ca2614e747b7

Download Submit
C:\Users\Admin\AppData\Roaming\RES.exe

Filesize
1KB

MD5
f54b30f21b7b118bfeda2b1ed3482f84

SHA1
bde084ea60646dadabfed4eafe5bafceb4c11b99

SHA256
62bf121e7c7d3a221718d90de673ab23b9759765bb4aaed747883c7c7d08c2c5

SHA512
8431f8c37b0fbc1077eb0aef78ad2e10c11bb10e16ddbde833f568cbd69551e23c85aadcce4ddc71994a9fede59eca52bc99d595131c2264e4e9917abe87e44d

Download Submit
memory/1196-7-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-36-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2284-33-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/2284-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/2284-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/2284-32-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/2284-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/3396-26-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3396-17-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4832-31-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing