b3024ac81e9cf25e75fa15da666924bff11445895f7f1b46c4a2c21f2a9908ae

General

Target

69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Size

1.1MB
MD5

69fab0fe3c28cef0ac3be3e1554fe980
SHA1

809621f7651be4b115d1c89ef42a5001293223f1
SHA256

b3024ac81e9cf25e75fa15da666924bff11445895f7f1b46c4a2c21f2a9908ae
SHA512

431e540bc59287ab6b784c3beae913650bbc43774f75919c2ee281ccb46d1f37587926997010d74ef0f7a40ce3f3a2b1492f4b7c9fb23765056db1da1291cbfb
SSDEEP

12288:msM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQr:dV4W8hqBYgnBLfVqx1WjkG

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1385899937"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108311"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108311"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DAC16BA-18CA-11EF-B9F7-E27D0092C90A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1385899937"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1438870055"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422606221"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}\DisplayName = "Search"	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}\URL = "http://search.searchws.com/s?source=%7Bparam%7D-bb9&uid=32e57b21-553e-4f27-8ce1-57a9bb1ee269&uc=20180423&ap=appfocus84&i_id=weather__1.30&query={searchTerms}"	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108311"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{2D7E873A-D581-4F9D-A091-BCA8579E7902}"	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}"	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchws.com/?source=%7Bparam%7D-bb9&uid=32e57b21-553e-4f27-8ce1-57a9bb1ee269&uc=20180423&ap=appfocus84&i_id=weather__1.30"	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

636 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

636 IEXPLORE.EXE
636 IEXPLORE.EXE
408 IEXPLORE.EXE
408 IEXPLORE.EXE
408 IEXPLORE.EXE
408 IEXPLORE.EXE

pid	process
636	IEXPLORE.EXE

pid	process
636	IEXPLORE.EXE
636	IEXPLORE.EXE
408	IEXPLORE.EXE
408	IEXPLORE.EXE
408	IEXPLORE.EXE
408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exeIEXPLORE.EXE

description	pid	process	target process
PID 2420 wrote to memory of 636	2420	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 636	2420	69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe	IEXPLORE.EXE
PID 636 wrote to memory of 408	636	IEXPLORE.EXE	IEXPLORE.EXE
PID 636 wrote to memory of 408	636	IEXPLORE.EXE	IEXPLORE.EXE
PID 636 wrote to memory of 408	636	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4176 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
01409a92b179c99711ea8c28d307d0c4

SHA1
a9cc2b0c5727e2af14819f3908c4693f8e891392

SHA256
3034962a4c308ef5e66a2de7faf1ed2439b7e59086a8c07ad59ce3669b8ee01c

SHA512
8e86173a54d253f3e05443c603222b9018d63a3fb8e3a26b2b5602c083c07b117d5c53ede08056b6aa4503380562444c6704de32b2cce76f146478616b7278c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
4f10c2e221200c64424fb46bb72ef69a

SHA1
ea66caf80cb06d0495292ad45e262fb1ae2a385d

SHA256
811f6e75ee83a355f2c3d13ed2884822ac1370f741397ecfb72e7d845c1cff3c

SHA512
84924d6e1654c885d71ff9940f249f302220c0df0ff40016236c5ee1237de4bdd98b607873af2328a7747b1121fc5baa611b1a97288182fc2e0c9ffd440ad5fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads