b276f2560d2ad3562df8b8af81d2928ff4eb1fa15c16e19f06528e1127ea6505

General

Target

5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe
Size

867KB
MD5

5564516abb20a1f25cece075d3a72ed6
SHA1

53536c4a1c1e0e186a3aa426383de3466bc87972
SHA256

b276f2560d2ad3562df8b8af81d2928ff4eb1fa15c16e19f06528e1127ea6505
SHA512

8b19c273e3604909109900ed542f636e09038e4d147c4c18a39af0716ab2f7a786ec35e6caf9687730096649eac0e8c0e52fc29fb8ad5fda6ea1e645018e1405
SSDEEP

24576:/Q3Qa0qoaZ11txQI0tEuIkxNVzi//h9jGBb1Xy:8znXQI6LP7Ve/LjGBpi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4244	noteitemp.exe
2408	NotepadPro.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Notepad\NotepadPro.ini	NotepadPro.exe
File created	C:\Program Files (x86)\Notepad\NotepadPro.exe	noteitemp.exe
File created	C:\Program Files (x86)\Notepad\Notepadpro.ini	noteitemp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotepadPro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noteitemp.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023bab-4.dat	nsis_installer_1
behavioral2/files/0x000b000000023bab-4.dat	nsis_installer_2

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell\print	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell\print\command\ = "\"C:\\Program Files (x86)\\Notepad\\NotepadPro.exe\" /p \"%1\""	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "NotepadPro.bin"	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell\open\command	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell\open\command\ = "\"C:\\Program Files (x86)\\Notepad\\NotepadPro.exe\" \"%1\""	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell\print\command	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\Old Default	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "NotepadPro.txt"	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell\print	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell\open\command	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\Old Default = "txtfile"	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell\print\command\ = "\"C:\\Program Files (x86)\\Notepad\\NotepadPro.exe\" /p \"%1\""	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\shell\open	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell\open	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell\open\command\ = "\"C:\\Program Files (x86)\\Notepad\\NotepadPro.exe\" \"%1\""	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\shell\print\command	NotepadPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.txt\ = "文本文件"	NotepadPro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NotepadPro.bin\ = "Notepad Document (.bin}"	NotepadPro.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 4244	3452	5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe	87
PID 3452 wrote to memory of 4244	3452	5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe	87
PID 3452 wrote to memory of 4244	3452	5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe	87
PID 4244 wrote to memory of 2408	4244	noteitemp.exe	88
PID 4244 wrote to memory of 2408	4244	noteitemp.exe	88
PID 4244 wrote to memory of 2408	4244	noteitemp.exe	88

C:\Users\Admin\AppData\Local\Temp\5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5564516abb20a1f25cece075d3a72ed6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\noteitemp.exe
  "C:\Users\Admin\AppData\Local\Temp\noteitemp.exe" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Program Files (x86)\Notepad\NotepadPro.exe
    "C:\Program Files (x86)\Notepad\NotepadPro.exe" A
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Notepad\NotepadPro.exe

Filesize
826KB

MD5
ad28239d7c7b01b6ce935110804dee6a

SHA1
abf965d38014cd2d363032d6c45787a33e6f45a9

SHA256
aaa7bbf2c86f1d976abb61ef17cf3d3c970ef59ef236b2236b2f496ed4c96dcc

SHA512
18606179927a30bdf95b71a71622e64e14e6b445372aab838c095076398f31422253615f33329e0dd7dc2b119e4bc9c5447d836f56825801312da0956cabf2da

Download Submit
C:\Program Files (x86)\Notepad\NotepadPro.ini

Filesize
23KB

MD5
5a5e6b480fc3db95616470e3bdd94077

SHA1
06486948e540b79e57fb4d10749b09741be10b37

SHA256
7bdcc9b94539ceda8efc7b0e5ea2627ceb2877c0ba464ba05af7e92f901f2f89

SHA512
a5166aa921bdbe06183907e4d6df088bc5bae3643a905147c9b11173a05f3ccc0948d6131132b8690d9be3127d53bea7cf640b640326ae2a13690b28d848bd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\noteitemp.exe

Filesize
369KB

MD5
ae3b55fe3bfe0b56d85e3f50221c2df5

SHA1
3fb2c54c685ef187b5472d276214ec74ab2c1654

SHA256
6a67df54a9a757b5594d90061f6beac3cad248ea943bcd552ca57fad2d4e78d7

SHA512
3657a0ea6c01b3aa9f850075bf633faff7a2c207a38a7650729d8df7d0b5e24aeea2cc3fbcb5308451257f45e501216d3e639121da095e6065f760aeacfee60a

Download Submit

Analysis

Sharing