b4f139d8cafc99eccb66fd682df1b01ee06ebddb7a1d74bf71cfa21579fc0fda

General

Target

51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe
Size

3.9MB
MD5

51f4e3dc9be4039ef21ac36678d4210f
SHA1

e082f5c301d9fa49006c7c0c889926c9e5fe1dc4
SHA256

b4f139d8cafc99eccb66fd682df1b01ee06ebddb7a1d74bf71cfa21579fc0fda
SHA512

3bca46c02a11843673b97c6bc3c06f4528cbec520a3946ab2f8136f4c70fecf55225582eb1c2067825fc8ee09a1e5aac3260cee2fe0e8ed0a1c3f009b900c1f7
SSDEEP

49152:YvX+HmRfhQqJ17dqVDSsQTpY6rXLjtE0SM3Qxexre62Bh4OQ3Plsce20NeL9zNoe:PoTdzXXv6hy76ByR

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023cd1-173.dat	acprotect
behavioral2/memory/4600-174-0x0000000073990000-0x000000007399A000-memory.dmp	acprotect
behavioral2/memory/4600-189-0x0000000073990000-0x000000007399A000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4600	d927Installer.exe

Loads dropped DLL 18 IoCs

pid	Process
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe
4600	d927Installer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cd1-173.dat	upx
behavioral2/memory/4600-174-0x0000000073990000-0x000000007399A000-memory.dmp	upx
behavioral2/memory/4600-189-0x0000000073990000-0x000000007399A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1660	4600	WerFault.exe	87
4644	4600	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d927Installer.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023c7a-21.dat	nsis_installer_1
behavioral2/files/0x000a000000023c7a-21.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4600	d927Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4600	2912	51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe	87
PID 2912 wrote to memory of 4600	2912	51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe	87
PID 2912 wrote to memory of 4600	2912	51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\51f4e3dc9be4039ef21ac36678d4210f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\temp\d927Installer.exe
  "C:\Users\Admin\AppData\Local\temp\d927Installer.exe" /KEYWORD=d927 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1668
    3⤵
    - Program crash
    PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1504
    3⤵
    - Program crash
    PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4600 -ip 4600
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4600 -ip 4600
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d927Installer.exe

Filesize
2.6MB

MD5
b027191a02d357dddc850faa08ac634c

SHA1
3afed1741b1e4f2b8a41794f84b7c08910666a45

SHA256
7fe8730370c40bc0ee96051d9988f13ff78eb2ba939ea1a0f4bcdd1c462dfd98

SHA512
7e594b9035220d4faf00f94d9ef9700e6a92b7861431accf17ec25ed056a1a0fb9318c75d15d1f3f570da9b1b507f4a7a3f5fb48c1e66d32d771b23138023bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\nsURL.dll

Filesize
109KB

MD5
ee1c41db6834538ee4048ccfc45055be

SHA1
efbbfc884a3193fadf542b0bef387cffc86923b7

SHA256
8904eb2c575ac5509d1a19f7c14b6ab804e88c22e3c2232d45de4198cf9850aa

SHA512
312c60a27ee625c9454cb8403c575bd2f9562fd1288ae84ad648018b62e455bf89928acb2508e75be8e76cd19ac1127e873b1187d06fa265ca2e624e02382ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\square_greatarcadehits.bmp

Filesize
2KB

MD5
11d93cc535227b3351a70a3c8d8dfeb1

SHA1
ce4e0b61c3b08b984e22244a75cdbd2fb4e08584

SHA256
0f6c9e02384b109bd440a1d34a1928895b014f56079162b295df55afb73c7e29

SHA512
413d7c55a9f8b6267468841f608f0c1e70d25308f3a3b55bc619485ac33336e182a375177e9f32614a44a927b5c2c70d15fe9abb7881ac2ecea2a7a11d294345

Download Submit
C:\Users\Admin\AppData\Local\temp\d927installer.ini

Filesize
437B

MD5
d2ba75d02f6ce99102d03f2fba9c0f68

SHA1
15821bc60394b163af673a56a38d5615d4d431ee

SHA256
ba90a91cdb2eb28c9f06917b3aa73bbc2c3b045969c181d7da8f983ea36c209d

SHA512
e00143a31d61e343491f7bcd7090589dac0b94e9797461b3e0192a7c7972e51f8431796fdc9b48cabcfb15cae72baae9f6d3a71eb5c352ac2cdba53eeebda6e2

Download Submit
memory/2912-192-0x0000000000510000-0x0000000000571000-memory.dmp

Filesize
388KB

Download
memory/4600-174-0x0000000073990000-0x000000007399A000-memory.dmp

Filesize
40KB

Download
memory/4600-189-0x0000000073990000-0x000000007399A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing