c133ab022b0db2adbaa030e8948a8f2f3df0481cbe0a05eab6be596776cd45b2

General

Target

b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Size

3.1MB
MD5

b2162f4890cf8b208f88970d83bf96bf
SHA1

df20ff3f5b308487ada89898d74aff0b9ff5668a
SHA256

c133ab022b0db2adbaa030e8948a8f2f3df0481cbe0a05eab6be596776cd45b2
SHA512

300b8284407c389a4de5b7bff8e7b74fa178e14b72ed079a61219dd52ee88099d621614e5c6e35d31c064d58cde86acd1aa3610696928f169f5ec90b873a46ea
SSDEEP

49152:HXvsCauuraeHgou98u6JIBf1YBVSzgm2QBs/szL8yK96puWV355FXw/+UuWV355C:HXvsCatrFHgaOfMVSzgm2B/g4m

Score

7^/10

discovery upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	C2A4.tmp

Executes dropped EXE 3 IoCs

pid	Process
5064	C2A4.tmp
2376	jdid23ll.exe
2324	jdid23ll.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2324	2376	jdid23ll.exe	84

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2904-0-0x0000000000400000-0x0000000000658200-memory.dmp	upx
behavioral2/files/0x000a000000023c0f-4.dat	upx
behavioral2/memory/5064-5-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/5064-87-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/2904-91-0x0000000000400000-0x0000000000658200-memory.dmp	upx
behavioral2/memory/2904-92-0x0000000000400000-0x0000000000658200-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_240632781	C2A4.tmp
File created	C:\Windows\jdid23ll.exe	C2A4.tmp
File opened for modification	C:\Windows\jdid23ll.exe	C2A4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C2A4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdid23ll.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: 33	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	jdid23ll.exe
2324	jdid23ll.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 5064	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	82
PID 2904 wrote to memory of 5064	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	82
PID 2904 wrote to memory of 5064	2904	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	82
PID 5064 wrote to memory of 2376	5064	C2A4.tmp	83
PID 5064 wrote to memory of 2376	5064	C2A4.tmp	83
PID 5064 wrote to memory of 2376	5064	C2A4.tmp	83
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84
PID 2376 wrote to memory of 2324	2376	jdid23ll.exe	84

C:\Users\Admin\AppData\Local\Temp\b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\C2A4.tmp
  C:\Users\Admin\AppData\Local\Temp\C2A4.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\WINDOWS\jdid23ll.exe
    "C:\WINDOWS\jdid23ll.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\WINDOWS\jdid23ll.exe
      C:\WINDOWS\jdid23ll.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C2A4.tmp

Filesize
191KB

MD5
7c51a665b09509f5132748dd807121ac

SHA1
1bd220b5743a8763ee283f8c293a0782f0149b95

SHA256
e689d20675addef0963254195ba22e3061300ed49145af4410d4d5688a0a8838

SHA512
ee6e72a707729ded7df71dc71d3f02f3cebdd86c60a768cbb951e00168eb487134b059fcbfaedcb3c3c6cef668c725a1bb0d6bae9570757ae8704c330b87327c

Download Submit
C:\Windows\jdid23ll.exe

Filesize
152KB

MD5
bf12c59e5fa2dc0d5da6f52c354c0d74

SHA1
c071b84cf55a78930024c4230afeb391a77a8863

SHA256
ad0131444782e428ea57257d7b0240c1dac76ae6162e760fca010a76af4df170

SHA512
f11d0553707b0b96bcbc714e18a083e69ed9d7e05059d4c414bbc42be11222a0a8296a981e372f10bab501fdfa4b498d41858cc40232a3b62506deab3c266afe

Download Submit
memory/2324-94-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2324-85-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2324-82-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2376-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-72-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2376-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2904-8-0x0000000002AE0000-0x0000000002AF1000-memory.dmp

Filesize
68KB

Download
memory/2904-42-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/2904-16-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/2904-32-0x0000000002E40000-0x0000000002E51000-memory.dmp

Filesize
68KB

Download
memory/2904-0-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/2904-57-0x0000000002E80000-0x0000000002EA0000-memory.dmp

Filesize
128KB

Download
memory/2904-24-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2904-49-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/2904-37-0x0000000002660000-0x0000000002778000-memory.dmp

Filesize
1.1MB

Download
memory/2904-91-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/2904-92-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/5064-87-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5064-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads