d45b7703dc2c199a67143dcf707f19e1a7fb4f4aef31c1ed1675902cf17babb9

General

Target

fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe
Size

61KB
MD5

fbf3644dfd5e4421b34698c3f19312fe
SHA1

d50e4d40a6e17c01b5ba1df316e7df017c65f326
SHA256

d45b7703dc2c199a67143dcf707f19e1a7fb4f4aef31c1ed1675902cf17babb9
SHA512

21d068fd37d9f4cab85904185af6fe849980edaf16516154a82714a24048fd4304f324c2e1f55ac5d763f21535d3a1f6be20a77409c34672b44a4c03749f3559
SSDEEP

768:D1TOLVgCOKpd0iojI7RWsxO5Uy6nq3d7aFmnAyWIH56:RTSO6647RW6OYMOiAzIM

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0005000000023256-2.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1988	fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0005000000023256-2.dat	upx
behavioral2/memory/1988-5-0x0000000010000000-0x0000000010009000-memory.dmp	upx
behavioral2/memory/1988-6-0x0000000010000000-0x0000000010009000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BB83C4F1-FED0-11EE-9C51-52D91C800120} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5080	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1988	fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe
5080	IEXPLORE.EXE
5080	IEXPLORE.EXE
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3544	1988	fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe	112
PID 1988 wrote to memory of 3544	1988	fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe	112
PID 1988 wrote to memory of 3544	1988	fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe	112
PID 3544 wrote to memory of 5080	3544	iexplore.exe	113
PID 3544 wrote to memory of 5080	3544	iexplore.exe	113
PID 5080 wrote to memory of 3320	5080	IEXPLORE.EXE	114
PID 5080 wrote to memory of 3320	5080	IEXPLORE.EXE	114
PID 5080 wrote to memory of 3320	5080	IEXPLORE.EXE	114

C:\Users\Admin\AppData\Local\Temp\fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbf3644dfd5e4421b34698c3f19312fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5080 CREDAT:17410 /prefetch:2
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services.dll

Filesize
6KB

MD5
c15f589abfb7123047b07b7e8e6ba924

SHA1
9ef36de78b4595721aeceeee3b3cd5ef3910d299

SHA256
cf56632457ec29760f991e3e73c39fef70f2774ef6cb9aac9455f1b31a0f7e99

SHA512
f364157c7f71ed2df2ed825147b1854799cfcfeae856e7c983f78516f64774d0ee545ca17feb945be5e3a51bba1e891d10e110c8aa2f16fee6e89f395e916258

Download Submit
memory/1988-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1988-5-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1988-6-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing