77f33920f68a8f4c4d3367084dbe52acca1fad135fc920f06bf3f116524ec426

General

Target

6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Size

3.1MB
MD5

6558e1cc16ed1f9d711527e15849b39e
SHA1

5bb21152c801c160776be64aeaf6845dd6c2e52f
SHA256

77f33920f68a8f4c4d3367084dbe52acca1fad135fc920f06bf3f116524ec426
SHA512

ee2ccb842a40cd0c74f3072898698321deb1ad72312bfd47ce706f40882f1ac50144021fac11b9a33411be6f959ec851d630acb04547c66adf7a13468be0cff0
SSDEEP

49152:5Yjv7iKLA8VKR4S2+OvvW76HJakPQE9kiUGTITe0TdQvtR:5YT7iz8ZskakPQE97UZdotR

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2384	upt.exe
472	upt.tmp

Loads dropped DLL 3 IoCs

pid	Process
1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
2384	upt.exe
472	upt.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe = "11001"	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\shell	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\shell\open\command	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\ = "s7kbms URI"	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\URL Protocol	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\Content Type = "application/x-command"	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\shell\ = "open"	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\shell\open	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s7kbms\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe\" %1"	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
472	upt.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 2384	1732	6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe	29
PID 2384 wrote to memory of 472	2384	upt.exe	30
PID 2384 wrote to memory of 472	2384	upt.exe	30
PID 2384 wrote to memory of 472	2384	upt.exe	30
PID 2384 wrote to memory of 472	2384	upt.exe	30
PID 2384 wrote to memory of 472	2384	upt.exe	30
PID 2384 wrote to memory of 472	2384	upt.exe	30
PID 2384 wrote to memory of 472	2384	upt.exe	30

C:\Users\Admin\AppData\Local\Temp\6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6558e1cc16ed1f9d711527e15849b39e_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\upt.exe
  "C:\Users\Admin\AppData\Local\Temp\upt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\is-NN8DE.tmp\upt.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NN8DE.tmp\upt.tmp" /SL5="$301C2,2437894,1146880,C:\Users\Admin\AppData\Local\Temp\upt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inf.ini

Filesize
1KB

MD5
d0b522938deb7e92cb99d929e3954c82

SHA1
09e169030eab146de4a9c6023a54b5df12c3ba2a

SHA256
31344108c24298c96b70a9f4f9d236522aaeb31963a829a71eaad6c18f0c394e

SHA512
15831689f0b9531c8d18d349dfa0631a0616915c627989f21e08a48fbed5bebe21ca5f9c00737371d25689d41df63e76aa49769e1e0066fc57c02aebb4c89044

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NN8DE.tmp\upt.tmp

Filesize
3.3MB

MD5
be73f78ef2892f67c1d8237d06d42b41

SHA1
f3a382a3e873e0b2554ab6cc7477ca3d89be96d1

SHA256
8d6b387608344085608becc3ad4892f3fd0a439a13c55da6f95d30edc976e9ce

SHA512
f52d721ae1eb2ccf2a6fb09cce5e0ef242a460d141047269854c02fdeb7ce7b970a8a7d13fd37ccc1dda4a0fcc7e69ac629d0a62ed9293d337ed22a567bbda2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\upt.exe

Filesize
3.3MB

MD5
421b6cd4ade8e71d52d495fe9d5f42d2

SHA1
1a7df5cbc2d6a1fb6aa37d849e12ed04ef5727f9

SHA256
8120aa0d01eac8b322cf7c822c3785d92c951e584cac93aaf95c7de87371ff7a

SHA512
740a7c4099fc2fb8496c5ca8c558f7c891a72ed70d521be00fb8e2d43a52e839dbcc745fd0e9ef1630003aeb5c4b55337b278e00f0617a60ac41063dc2da0837

Download Submit
\Users\Admin\AppData\Local\Temp\is-OURAH.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/472-62-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1732-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1732-56-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/2384-35-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2384-38-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2384-61-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing