493b8fcb4dcfe2733ab194a19dd07ecad68f766df45b2d6bea7333a630b62d2d

General

Target

560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe
Size

227KB
MD5

560f1990cf5aa74b8ca285c3113c09ce
SHA1

8f6b608a0e2cbd739f7348671c6bf697eaa93369
SHA256

493b8fcb4dcfe2733ab194a19dd07ecad68f766df45b2d6bea7333a630b62d2d
SHA512

69c962f5ed8e8aab609c1bc8145d84e2034bc02da9c57b42aeea8e17863e1288f84065e6ca18f5b5ba838eb0eb8600bd66467e7155c18d06d6c3810c8929dca0
SSDEEP

6144:IfOpM5uMf/j/lSCq0wWCBY5y3aiAGWd573slDD0Ig:ImpM5t3nFCBY5dikLsVE

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ins831.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2188	ins831.exe
4400	ins.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ins.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ins.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/744-0-0x0000000000F80000-0x0000000000FDD000-memory.dmp	upx
behavioral2/memory/744-31-0x0000000000F80000-0x0000000000FDD000-memory.dmp	upx
behavioral2/memory/744-38-0x0000000000F80000-0x0000000000FDD000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	ins.exe
File created	C:\Windows\assembly\Desktop.ini	ins.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ins.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ins.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4400	ins.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	ins.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4400	ins.exe
4400	ins.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2188	744	560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe	85
PID 744 wrote to memory of 2188	744	560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe	85
PID 2188 wrote to memory of 4400	2188	ins831.exe	89
PID 2188 wrote to memory of 4400	2188	ins831.exe	89
PID 2188 wrote to memory of 4400	2188	ins831.exe	89

C:\Users\Admin\AppData\Local\Temp\560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\560f1990cf5aa74b8ca285c3113c09ce_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\ins831\ins831.exe
  "C:\Users\Admin\AppData\Local\Temp\ins831\ins831.exe" ins.exe /e54496 /u4dc9054e-38b0-4614-bdd5-20605bc06f26
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\ins831\ins.exe
    "C:\Users\Admin\AppData\Local\Temp\ins831\ins.exe" /e54496 /u4dc9054e-38b0-4614-bdd5-20605bc06f26
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ins831\ins.exe

Filesize
254KB

MD5
473b7bc5d6fd58f3c86a29ff64035bad

SHA1
69a8bbb0ed0be2f66459030ccb77a6f8307d46f9

SHA256
107d940514fcd5cfe2e62d4e23357dd2eeef7543b082a4b959e11569aaf180b1

SHA512
2cb5c110c8e4aba59f3c6bed7b6dc4a4624538d906ad18be72e687f695ef825aad117457eab895c01295878dfe25e1b6b0ed25de29c6f1558e20ed6be3411d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins831\ins831.exe

Filesize
138KB

MD5
9543c7e436381a7853e8182a35152e38

SHA1
3e828372157a880edde5e5621a7888900d686d76

SHA256
1628a5b49145659ebddd692829fd2c067569452f85769ef831376b8bb36c6c26

SHA512
cd82be11ffa1c17eb95a110741ba1199b38da11aaf13a40dd7c9de8ec4fa7a56a48e718cd1a30cd4fa47000a757e62c0fff4285c0b0af21460b3ea986b1951e4

Download Submit
memory/744-38-0x0000000000F80000-0x0000000000FDD000-memory.dmp

Filesize
372KB

Download
memory/744-0-0x0000000000F80000-0x0000000000FDD000-memory.dmp

Filesize
372KB

Download
memory/744-31-0x0000000000F80000-0x0000000000FDD000-memory.dmp

Filesize
372KB

Download
memory/2188-13-0x00007FF997950000-0x00007FF9982F1000-memory.dmp

Filesize
9.6MB

Download
memory/2188-14-0x00007FF997950000-0x00007FF9982F1000-memory.dmp

Filesize
9.6MB

Download
memory/2188-32-0x00007FF997950000-0x00007FF9982F1000-memory.dmp

Filesize
9.6MB

Download
memory/2188-36-0x00007FF997950000-0x00007FF9982F1000-memory.dmp

Filesize
9.6MB

Download
memory/2188-12-0x00007FF997C05000-0x00007FF997C06000-memory.dmp

Filesize
4KB

Download
memory/4400-26-0x0000000073792000-0x0000000073793000-memory.dmp

Filesize
4KB

Download
memory/4400-27-0x0000000073790000-0x0000000073D41000-memory.dmp

Filesize
5.7MB

Download
memory/4400-28-0x0000000073790000-0x0000000073D41000-memory.dmp

Filesize
5.7MB

Download
memory/4400-34-0x0000000073790000-0x0000000073D41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing