b0fe93dd9c1c8171aa67dfa21ca26124b9f1e893eff56d407a43b802d96b65b6

General

Target

9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe
Size

360KB
MD5

9f0f2b4a2fe38245dd321b8fb7e51308
SHA1

b2aacf71216a220862aa773e16a463d389e83353
SHA256

b0fe93dd9c1c8171aa67dfa21ca26124b9f1e893eff56d407a43b802d96b65b6
SHA512

cd307c80f695384f87db9b63d5c70642d729d49c0c6d8cf9852e6dc17b39b7a5b45e67c9be49a92a33b9daaad5ae3f83eb91535bc5adecce77af9c6f5e47f505
SSDEEP

6144:mzG8nriOnW/rGgGEh4/+mkROq9d05pgcVC7DJbxwH19qQCWX33lEb:e1DYri/QRB9dYt2D7M7qQCWVEb

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

sil.exesil2.exe

pid	Process
4028	sil.exe
3260	sil2.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4028-25-0x0000000000400000-0x000000000049C000-memory.dmp	autoit_exe
behavioral2/memory/3260-29-0x0000000000400000-0x000000000049C000-memory.dmp	autoit_exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b62-8.dat	upx
behavioral2/files/0x000a000000023b61-22.dat	upx
behavioral2/memory/4028-23-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral2/memory/4028-25-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral2/memory/3260-29-0x0000000000400000-0x000000000049C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.execmd.exesil.exesil2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sil2.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

sil.exesil2.exe

pid	Process
4028	sil.exe
4028	sil.exe
4028	sil.exe
3260	sil2.exe
3260	sil2.exe
3260	sil2.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

sil.exesil2.exe

pid	Process
4028	sil.exe
4028	sil.exe
4028	sil.exe
3260	sil2.exe
3260	sil2.exe
3260	sil2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 3948 wrote to memory of 2908	3948	9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe	82
PID 3948 wrote to memory of 2908	3948	9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe	82
PID 3948 wrote to memory of 2908	3948	9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe	82
PID 2908 wrote to memory of 4028	2908	cmd.exe	84
PID 2908 wrote to memory of 4028	2908	cmd.exe	84
PID 2908 wrote to memory of 4028	2908	cmd.exe	84
PID 2908 wrote to memory of 3260	2908	cmd.exe	85
PID 2908 wrote to memory of 3260	2908	cmd.exe	85
PID 2908 wrote to memory of 3260	2908	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f0f2b4a2fe38245dd321b8fb7e51308_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\sil.exe
    sil.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\sil2.exe
    sil2.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
99B

MD5
56aa57faace3cdf419642dd857022dbc

SHA1
ff5d04e1acc9a2e9c6e1aabcd914e9e2c61c3308

SHA256
a384aa77f7ef0c283afd0f47757f28e6a1e1a913f72621f02cbb844f0df36b27

SHA512
0bcba59d779e0263dee0ed5d35629b9bc0e470ef65920697d8deea757aab05c8c7149916341d0ee2c1de51baaf77b1247185e9b65f9c3b4edaa1e18126f9ae5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sil.exe

Filesize
244KB

MD5
1cfc30a5e0e262f1dbe5911ab322684e

SHA1
5a9f9571643bbc53b8d7bd3e57d0f88efa8ec457

SHA256
010d64b0fd6f0be6dbfb766c59c9757c0216adc788bcd04a097954d16ed55c42

SHA512
6d11c9ba8157db5c030c5faecac15596dbc420553e3e44659fbcfc169a620f33749a5568bf5f63c54dcdbba18aeac0b6809d54041f0dff7bdf73d4d6d062f30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sil2.exe

Filesize
244KB

MD5
6850a8978718eb41f467139922c0caac

SHA1
39dbb1fb4576085f235a61c3bd470024540b3d3f

SHA256
a31dc09c530748bd943daeac3b74e04ac030fdf2790e97dc1ad97325c8ecc2fa

SHA512
b45958895d91d5851403602b48f88bafd87d0cc4a6831308f0a96eba1a15bdab3c54b928292d2d96e7ca236eb7f573c3dc4e07a0f559a11e806081ff26e3bc53

Download Submit
memory/3260-29-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3948-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4028-23-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4028-25-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads