13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947

General

Target

fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
Size

11.2MB
MD5

fe3ec61798741f90f745a0f508f78c33
SHA1

a61540c961cbc8cc90715c610ec7e957d4153757
SHA256

13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947
SHA512

78fee25e34482064bdcbcdb1681c4156d6ecf5db1ede0273cbe8b8e887bd30a30c1fc9f4fc8bd4d7921321386d8728ddc4dfdd0ab44b1c76ed3a490b23d2e9ee
SSDEEP

196608:ytgZqGeTGDbev2aL8bpXxOUu8q7WtnlpWGj8zPMw4XtPRk4R3BxCkfHOU08:bqGeTGWv2hlJj8SXtPR/3BxZHlX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3608	Vector Magic.exe
1956	Olsders_8.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	Olsders_8.exe
1956	Olsders_8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Uninstall.ini	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Uninstall.exe	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1484	3608	WerFault.exe	82
2308	1956	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vector Magic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olsders_8.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023b90-25.dat	nsis_installer_2
behavioral2/files/0x000a000000023b91-40.dat	nsis_installer_1
behavioral2/files/0x000a000000023b91-40.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1956	Olsders_8.exe
1956	Olsders_8.exe
1956	Olsders_8.exe
1956	Olsders_8.exe
1956	Olsders_8.exe
1956	Olsders_8.exe
1956	Olsders_8.exe
1956	Olsders_8.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3608	3628	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	82
PID 3628 wrote to memory of 3608	3628	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	82
PID 3628 wrote to memory of 3608	3628	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	82
PID 3628 wrote to memory of 1956	3628	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	87
PID 3628 wrote to memory of 1956	3628	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	87
PID 3628 wrote to memory of 1956	3628	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	87
PID 1956 wrote to memory of 3588	1956	Olsders_8.exe	88
PID 1956 wrote to memory of 3588	1956	Olsders_8.exe	88
PID 1956 wrote to memory of 3588	1956	Olsders_8.exe	88

C:\Users\Admin\AppData\Local\Temp\fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe
  "C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 296
    3⤵
    - Program crash
    PID:1484
- C:\Users\Admin\AppData\Roaming\Olsders_8.exe
  "C:\Users\Admin\AppData\Roaming\Olsders_8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Roaming\Olsders_8.exe
    "C:\Users\Admin\AppData\Roaming\Olsders_8.exe"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 852
    3⤵
    - Program crash
    PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe

Filesize
32.6MB

MD5
008447156ab02ae2c7428639b2c812df

SHA1
9b4de5635152b5d217b7c22f18141ca1efecc52c

SHA256
d9ed5b3ba625da9acf731290d3d45cc1192336c8beda5652f757ab8a3d4bdc00

SHA512
caa2b5c9d6b23a7763a4aa117b3df2239006710f7f61398b3e059596160d20e98f2fb5ad2b2387d1b235e3d95c031d8fa65b8cd88f7bd294df7d89a540908c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
3.0MB

MD5
e8992b1cf5ca990fc3781860d82eef4d

SHA1
3ad636b85ce23d58303e1ab453f55fe7f5eb71b8

SHA256
37d5faa577d6643212c71f952e4132f8284a0f997bbc8c665e0584de87f38827

SHA512
a827b83bb9019bdfa7fb187364799dd05e1b33c11617d38327f72add41b6a87f85d9788b4caa75b4d65783bd593cd543a0ef66d03639cfaa166c1f9914871f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso832B.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Olsders_8.exe

Filesize
512KB

MD5
f49790681940884fe1df35a094f09b50

SHA1
5ac2fdc8530239f9a56f185b4ec28adaf0417865

SHA256
f54a4d8df2d9b58d1dae11003b21bef238239b16a1823269a8da73aaacdf1aa6

SHA512
d812f9cb50265ecba35e65c5add77c5da96633eebb3efbd8d174894725cda7b5457f8e4f3d4ab5a04035361325941bb375d6698f024b829eeff8ce07e8206a53

Download Submit
memory/3608-37-0x000000007FC80000-0x000000007FE44000-memory.dmp

Filesize
1.8MB

Download
memory/3608-38-0x000000007FC80000-0x000000007FE44000-memory.dmp

Filesize
1.8MB

Download
memory/3608-31-0x000000007FC80000-0x000000007FE44000-memory.dmp

Filesize
1.8MB

Download
memory/3628-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing