52311052ceb3b81b47f2aae9a1421036ac04fb97d63b850d858b7e35fb57617d

General

Target

e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
Size

420KB
MD5

e9bfa6e5d7154416fd7bf7d198944803
SHA1

fb1d1357faff1766fcbefa16c7eed343a6581185
SHA256

52311052ceb3b81b47f2aae9a1421036ac04fb97d63b850d858b7e35fb57617d
SHA512

4d9bcf913cfde16772e2a067f65f7a331752ea3754c6278e3e78ca074dca37f971b54dd1c245c02ffa4193619120094ee1cda8b92a18dce31321071daa8520e0
SSDEEP

12288:WwaA3t7VPRw+8cOSQN2jyGFyFjISvfsJJa/oSdd:ppbw+8cze/jL4U7d

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1516-0-0x0000000000400000-0x0000000000602000-memory.dmp	upx
behavioral1/memory/1516-146-0x0000000000400000-0x0000000000602000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1516	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
1516	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
1516	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
1516	e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da6337986e0aad52d070858da0ad0c92

SHA1
f0e68c0a007a4af89570ae7eb84290bcc9d4fe17

SHA256
9ffa469cddd44605afb09755a84dfa4ee60898455425d00ce65dea861b0c8e73

SHA512
4a069f1d6db72808f01f710bf538394708dcc85a12fd3c950a9efd50268005ee2a819d608e76afaba1a1a773ffe5c759036afe01abf9c550cfa3a673c6df299d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09165ca71ec0d070190b4e060ee9a714

SHA1
e914f31883f1e54f918cca5dc5cb12d160ed813c

SHA256
c30b56c7aa3176584fa6ce087f2ccdd5e406db63e82409b5504ec099294df925

SHA512
6141ecc7c52d6d0be1778690c4d8dae6c6ea172be4c51a6ce4376eff91030ccf6f48a491c5b72bd2561f1fe343b5ba2fa573afa41921e946acf038176f6bd6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S96XYZ9E\downloader_logo[1].htm

Filesize
328B

MD5
f8dd6e7c487d032d6bcf942578dd30f9

SHA1
cbcf5ad43d93c8392adff6de0746ba18064033ab

SHA256
f084d53e50d5028ccfd8e3245f0c676cddee3837d45e8db3065e248cd6b0bb27

SHA512
774b23c16d69bc48cccdc8785dd68d30f3315895b095f6e052675ecfb8113be1a609c367b89cc33e01c2a7f7ff0fac7189bd44277901ceba7a7dbfbca9e6387d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B62.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6CB1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\GetRightToGo\e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.data0

Filesize
942B

MD5
048f323e156c17be2acc2d3b15d595b6

SHA1
762b328bd49e024d384734ef562df56c7f4c7623

SHA256
5b64ff28ee99f1d82e8c71739df2949c78e17c8de7875ed54e7fa65a5028c444

SHA512
a1c27985abd5406674560c22d503336e4f47239f08aee95a048263200df74fac13657f728017748eec518dfe6a93f23a1ede7ba6b71567734ed9ab6196bf224d

Download Submit
C:\Users\Admin\AppData\Roaming\GetRightToGo\e9bfa6e5d7154416fd7bf7d198944803_JaffaCakes118.htm

Filesize
87KB

MD5
2290e78ddaffaa73838e9a67d679cbc7

SHA1
5e2583a2c5bad107c82cab2a495d559e1385ae41

SHA256
ca6005b88259d61bfc9943b1236cd4f6f12833f3134a3c1553545247d95aca2d

SHA512
a2c6ae503b264e30925c685efb6389175138fb809989d5e4c61e62345662c0d7a6e0de57c6a8f883209c7bf613c6be3fb4ca2031876d562271c8b111ad338abc

Download Submit
memory/1516-0-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1516-146-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads