115879ea154db5c6ab8b85fd0cdc3e08a688f4294c505da81e5be63c372438cc

General

Target

954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
Size

78KB
MD5

954eab95321ab04402ae0957a35f0001
SHA1

be3bfc17a07431bb4c6d65f18dcdcab9f27c6d86
SHA256

115879ea154db5c6ab8b85fd0cdc3e08a688f4294c505da81e5be63c372438cc
SHA512

a12ac5ab7f6c3456ab4de5d5b6fdf6f07e70f694865806dee2a2bd1ea6160113f5b713dc8f0a32beac51b6ea35e1cd3936064b48d7560e1bb48eaa980a16c76a
SSDEEP

1536:XPy5jfXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtd6+9/m1Ma:XPy5j/SyRxvHF5vCbxwpI6WJ9/Q

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4900	tmp65BF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp65BF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp65BF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
Token: SeDebugPrivilege	4900	tmp65BF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1408	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	83
PID 1376 wrote to memory of 1408	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	83
PID 1376 wrote to memory of 1408	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	83
PID 1408 wrote to memory of 2892	1408	vbc.exe	85
PID 1408 wrote to memory of 2892	1408	vbc.exe	85
PID 1408 wrote to memory of 2892	1408	vbc.exe	85
PID 1376 wrote to memory of 4900	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	86
PID 1376 wrote to memory of 4900	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	86
PID 1376 wrote to memory of 4900	1376	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-fzw4shw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE5E55CDEBE64B4DAD3186D6F18D66D4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-fzw4shw.0.vb

Filesize
14KB

MD5
9090e9f254675aa3e47f2ed71e7c278b

SHA1
b35ad9f2bfd468ae145809c30562e61522b7b2ad

SHA256
d8f23a924aeb8844abdae9961e0d9a25011b2db3f9c51e9ff27a6ff75093f6b1

SHA512
9d5b6a1da527fa15015ca7e0efcb5383bba626dd176172a6c6380041aa07cc3c91cb955a2960a72bb7d37b1a90246a48c0660ca46c0740fa49082f812ade0653

Download Submit
C:\Users\Admin\AppData\Local\Temp\-fzw4shw.cmdline

Filesize
266B

MD5
0b4beefafb46da09a696921d9a4aea5b

SHA1
b504ccc4e6320174ad6bb0518d5907210db67ac0

SHA256
54e4e0d75c924e5ac334d2c7a2f0f38b9a49dd8f058a48c5b3cb8b20340665b1

SHA512
bddb2f32aec79e5461a14707b7bcd9019df23ed80680f42ec96211a17b92fbb2f5e272f330f57f9ee42c6eb0bfd2482575469351b30b24d5d6cf1d5fcac5355e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6699.tmp

Filesize
1KB

MD5
b90d2c8e2ed66519fb1749f8f378d0e4

SHA1
66c8b62e1d56005ef28e0fdd3aabbe4c8011ff3e

SHA256
e42442dc778f6ff7114bed1e82f975ebe113c8a98f52ae62343a5fe994885d92

SHA512
2ea327da9cf9d3156b695a79307d86abe3f8f13312f9275894f79fb662a1c7953fcd5f4366c3d016ddcb27fed4ccfde19083033d519fabdb309cfa15732c5ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp.exe

Filesize
78KB

MD5
4fafc80d32fef0480f685c25eccc5d8a

SHA1
af9b6a95a373730d0d10c495baa9b0ac04ee2ed7

SHA256
7aac3e46d2a8a3dfb4a44f4835bfac60f1756e3711b7bbb494f9cea976faed60

SHA512
38caea8c306d6bf590d61144bd456669dbc55834b23af621e7fdc06bcd30f4214ac5d584e96058af298bbea35e6b1ea1068371d21f17cbae77b516419c21d444

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE5E55CDEBE64B4DAD3186D6F18D66D4.TMP

Filesize
660B

MD5
55cb34ff4677a52f058f9bb430d1dc9e

SHA1
ee3667c45083f1ab6153adaf3c462a39200c72be

SHA256
3a577de3d93f4756c927a8edc1c1c2a5c8d32d17766cdb3cd10f604c0ac36adc

SHA512
271d4967d9972d8023351a5e53b7854148c5e5544ffbe252598cc765ec3ffea8c5080166b58547024e722e76ced5225058a44e0620c55773b89768efe1d73ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/1376-0-0x0000000074BC2000-0x0000000074BC3000-memory.dmp

Filesize
4KB

Download
memory/1376-1-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1376-2-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1376-22-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1408-18-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1408-8-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-23-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-24-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-25-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-27-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-28-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-29-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-30-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4900-31-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads