c6ce5a6066399c9bcbda29754885904212e175ba039cdfb9673f52d0a6e6605d

General

Target

JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
Size

1.2MB
MD5

981e906ab1ad31504e51446cd676b6c9
SHA1

3cc10f981674e7d034bcd332a34d3fe3b85ed316
SHA256

c6ce5a6066399c9bcbda29754885904212e175ba039cdfb9673f52d0a6e6605d
SHA512

98504fcf43225ac2a22d90d74ee002da9720eed2cf50d54023b6e41d83f67ed2fc2faf9fce2b3dd69a932e6fb421003c1a7451785605d4a65f21aa8b20763fdb
SSDEEP

24576:8YfbaD02b292QmX32w/N5cd+AD4swhQr8e4UZQO0CmL9j7iCFZO0EcS2eyJmY1Cr:8TlymnLH4D47hkuO0r9jGCFZb9wKE

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe

Executes dropped EXE 2 IoCs

pid	Process
3608	temp.exe
4240	WexTarCTx.ExE

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WexTarCTx.ExE	temp.exe
File opened for modification	C:\Windows\SysWOW64\WexTarCTx.ExE	WexTarCTx.ExE
File created	C:\Windows\SysWOW64\WexTarCTx.ExE	temp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WexTarCTx.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	temp.exe
Token: SeDebugPrivilege	4240	WexTarCTx.ExE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3608	2888	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	86
PID 2888 wrote to memory of 3608	2888	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	86
PID 2888 wrote to memory of 3608	2888	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	86
PID 3608 wrote to memory of 4916	3608	temp.exe	88
PID 3608 wrote to memory of 4916	3608	temp.exe	88
PID 3608 wrote to memory of 4916	3608	temp.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4916

C:\Windows\SysWOW64\WexTarCTx.ExE
C:\Windows\SysWOW64\WexTarCTx.ExE
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
743KB

MD5
42efebba0b23aebc470df8448d9841c3

SHA1
76f1112262dfa5ab2142832cbf1204c0bd78ae9e

SHA256
83a920746478bd0113e59da8a0fcee4e0901bc24b2a1866c49212ebfb08a35cd

SHA512
b72be7beff4f452d034426f3d7e34296099000aa480793baf87eb917f65cd3063bfb3b7cf3ac2f961daaa32aa980b0e740e5b7cf3328477897e21d48649b1088

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
memory/2888-11-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2888-16-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2888-19-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2888-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2888-18-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2888-17-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2888-10-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2888-15-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2888-14-0x0000000003220000-0x0000000003224000-memory.dmp

Filesize
16KB

Download
memory/2888-12-0x0000000003230000-0x0000000003232000-memory.dmp

Filesize
8KB

Download
memory/2888-13-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2888-0-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2888-3-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2888-6-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2888-5-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2888-7-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2888-2-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2888-8-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2888-29-0x00000000008C0000-0x0000000000914000-memory.dmp

Filesize
336KB

Download
memory/2888-27-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2888-1-0x00000000008C0000-0x0000000000914000-memory.dmp

Filesize
336KB

Download
memory/3608-37-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4240-34-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing