b02284d01ef832990948841332b49cadfbadd2243572996d662b6dad3fe72f6e

General

Target

de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe
Size

560KB
MD5

de8a14ef266e7c3ec68e2608e20b8f7c
SHA1

4f9e12047ba5a5badd32c4ce518afe50c20b5656
SHA256

b02284d01ef832990948841332b49cadfbadd2243572996d662b6dad3fe72f6e
SHA512

3bc01a1a13e58039a7941e03575484a1cf1f99805191ba5ff1ba8923c48bb15f0dfb1f4fc159cb697a3dcaf457d72ec28538d586879b14cc7e312face1a76903
SSDEEP

12288:EfOm7mgLIMbK7SYl3d0B3gFOG37SXNUSobWf8zj:EfOADLIKKVt0BQ4BXNUqe

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	Anti-Av{Coding}.exe
5076	mass kill 1.2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b98-13.dat	upx
behavioral2/memory/2096-23-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-19.dat	upx
behavioral2/memory/5076-28-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/2096-32-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5076-33-0x0000000000400000-0x0000000000499000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	2096	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anti-Av{Coding}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mass kill 1.2.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe
5076	mass kill 1.2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	mass kill 1.2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2096	3932	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe	83
PID 3932 wrote to memory of 2096	3932	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe	83
PID 3932 wrote to memory of 2096	3932	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe	83
PID 3932 wrote to memory of 5076	3932	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe	84
PID 3932 wrote to memory of 5076	3932	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe	84
PID 3932 wrote to memory of 5076	3932	de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de8a14ef266e7c3ec68e2608e20b8f7c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\Anti-Av{Coding}.exe
  "C:\Users\Admin\AppData\Local\Temp\Anti-Av{Coding}.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 400
    3⤵
    - Program crash
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\mass kill 1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\mass kill 1.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 2096
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Anti-Av{Coding}.exe

Filesize
335KB

MD5
3cc219b3e0c3feeba3b8c83a54179699

SHA1
2505c7ebe5604d49f244d1e517fe2950699f3c6c

SHA256
a93905cfa5d94e850000891336018fb1823d96462e3a50e71fa239680d620190

SHA512
1a4a4107ed1bb0fabe3e41b5666bc1a48afa98cc2b265de254cc660c0ca620a6ec2ff17b9d5d1873b2f5a8eecdbaf0a066261cae7f9a334cc59c70c6476bbb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mass kill 1.2.exe

Filesize
209KB

MD5
eabe3ffd26542a5c9ae6c46e3d73dc7a

SHA1
8773961f9459637b9dad557d606da8c9254bd18c

SHA256
28ea066ef522fb31e9e64530b14a58e594364ca8215fad20cb8ed67311d9b45e

SHA512
31197b235afda0fa196e7833dcbcd63ca5fcd19eee6a2a1eddd6c75505365e833bdb9f68440ac094a7448b4b8f5e927f850893cb02e8161ae71251187f975b78

Download Submit
memory/2096-32-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2096-23-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3932-4-0x000000001C120000-0x000000001C1BC000-memory.dmp

Filesize
624KB

Download
memory/3932-5-0x00007FFFDA730000-0x00007FFFDB0D1000-memory.dmp

Filesize
9.6MB

Download
memory/3932-6-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/3932-7-0x000000001C3D0000-0x000000001C41C000-memory.dmp

Filesize
304KB

Download
memory/3932-0-0x00007FFFDA9E5000-0x00007FFFDA9E6000-memory.dmp

Filesize
4KB

Download
memory/3932-3-0x000000001BB30000-0x000000001BFFE000-memory.dmp

Filesize
4.8MB

Download
memory/3932-2-0x00007FFFDA730000-0x00007FFFDB0D1000-memory.dmp

Filesize
9.6MB

Download
memory/3932-30-0x00007FFFDA730000-0x00007FFFDB0D1000-memory.dmp

Filesize
9.6MB

Download
memory/3932-1-0x000000001B5B0000-0x000000001B656000-memory.dmp

Filesize
664KB

Download
memory/5076-28-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/5076-31-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/5076-33-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/5076-36-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing