14590972dbc8599f7b62f1daa97e2774187a85e42bc2058514b8503f260cf100

General

Target

a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
Size

78KB
MD5

a488a793801843c4e5c4f20a0bdcee2f
SHA1

5204c05066abdc553d1e2283bf3ffd84bbdf3a62
SHA256

14590972dbc8599f7b62f1daa97e2774187a85e42bc2058514b8503f260cf100
SHA512

1e16de930d9b9132e9163a63816fc6ada851a3b95ec0e7fab0d54829682ecabb2174130ca4b216390cca7430f49b88689caffe032596f46c3603ba02a91914b4
SSDEEP

1536:QWV5xLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6T9/T154:QWV5JE2EwR4uY41HyvYc9/Y

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4628	tmpB9EA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB9EA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB9EA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
Token: SeDebugPrivilege	4628	tmpB9EA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1400	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	82
PID 1512 wrote to memory of 1400	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	82
PID 1512 wrote to memory of 1400	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	82
PID 1400 wrote to memory of 4684	1400	vbc.exe	84
PID 1400 wrote to memory of 4684	1400	vbc.exe	84
PID 1400 wrote to memory of 4684	1400	vbc.exe	84
PID 1512 wrote to memory of 4628	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	85
PID 1512 wrote to memory of 4628	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	85
PID 1512 wrote to memory of 4628	1512	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7d-ylz4g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB3486768DB94200AA7C6AB63E25FC7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4684
- C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d-ylz4g.0.vb

Filesize
14KB

MD5
58ea98a7bccd4e059aaff5d32245fe06

SHA1
cb975536fd12a85b12dab8325f686cf433dd37f3

SHA256
3ac1b069c9224d5574f9a72741bb960891f93e48e0860b1c33cb15aba0850d3c

SHA512
1f81f5e7fbd484332a8845e49c232a921ae8f7ec65500774e29df419aed6b80fc97dbbbf6d370d759fb5cba4b3aa62c1a9f4351976e336e97d89280f378d40ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d-ylz4g.cmdline

Filesize
266B

MD5
1fddb48e883506e8412440509d087eb6

SHA1
183cde80b078321a5651264f3d230b6a09d2e6e9

SHA256
a049c4dcc6523af0bb2544e323cc262da338b1b854a9f482fa89473a76bf21d0

SHA512
cf2ceddc1757c7832e27087fafa3fcc0b9f2292f159e9d81a2685a2d117e93c159621bc4fa2a829951adf50e947fee6a9629ef794a6e88e3a099aa7f8f52db65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAA5.tmp

Filesize
1KB

MD5
4bdad69bc318d38e083fe5d3d44b46dc

SHA1
0c60e143f18b8e60f8cd5177f9763492e96474ef

SHA256
363f1e317bd9790ae172664ed11abb6b0193833e963f10c76f7f4460b32e7712

SHA512
0fedd34fa2e8d7568e5f8e002dba99ccf9a346b0f81bc7a0fa9d916487d9bbf5a7cb655def85fde91030ec462fe968469bc6fa441c231b02bf07a0b22bc41c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.exe

Filesize
78KB

MD5
876868e1a91dbd83fcdd4574208391f7

SHA1
6a1cb24f314e66c4822c375bb943bcb39e0c9d7c

SHA256
d2868006a76e21f36b22dc445f3d20a128ddb4356b8116f8d83902299a00af67

SHA512
752b69ad4516d049d17e2bfc343ee4e16e9e9239b98663df21adc842c81c7e952d2a201e8906ee738008672f7ea68d10f30225860dbc2d683f84b5cc8ed3aec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB3486768DB94200AA7C6AB63E25FC7.TMP

Filesize
660B

MD5
eef4c74dc3d9e97cc4aef41c117b177a

SHA1
05df895eb2f0ceb7e970ee6c85ca746b5e92a905

SHA256
39a77f75bc5d7750380723e3526f26d98e56bc355f3bc7dc64a4c0302e0c2c3b

SHA512
ec816b4c07b6a6d81788237a8a6787e2d6155275be953f186ce0afc7dfb8408e45c9f3f22ad07805c5f86e6a788a81f40719e21c354b81a26bc7e12ab73f5a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1400-8-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1400-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1512-0-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/1512-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1512-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1512-22-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-23-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-24-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-26-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-27-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-28-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads