20d4815ca5c3b2f0025288738f7070e92d48bfb56dca696a0b94f8cc29943b29

General

Target

096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe
Size

123KB
MD5

096823f8a85c1d6839cc4654923d99e8
SHA1

0ccb91169e6fbc7c987a5f09528ade88d1a053f1
SHA256

20d4815ca5c3b2f0025288738f7070e92d48bfb56dca696a0b94f8cc29943b29
SHA512

6cb7bbb7e952a7911ab242a59c2412dbc3dd5640d975de5c809c4ec44e32227848eda8fea26e69a3594d58f8572dadc8eda37005fadf4adb099972fac1939673
SSDEEP

3072:teSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLsh7Hvb:tVYrJrOSsRwcpmTvb

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002342f-27.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2708-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x00050000000232a4-5.dat	upx
behavioral2/memory/3780-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2708-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000700000002342f-27.dat	upx
behavioral2/memory/3780-57-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\medias\p2e.ico	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110112140106\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110112140106\dialerexe.ini	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
5048	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2708	096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe
3780	iaccess32.exe
3780	iaccess32.exe
3780	iaccess32.exe
3780	iaccess32.exe
3780	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3780	2708	096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe	81
PID 2708 wrote to memory of 3780	2708	096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe	81
PID 2708 wrote to memory of 3780	2708	096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe	81
PID 3780 wrote to memory of 5048	3780	iaccess32.exe	82
PID 3780 wrote to memory of 5048	3780	iaccess32.exe	82
PID 3780 wrote to memory of 5048	3780	iaccess32.exe	82
PID 3780 wrote to memory of 2700	3780	iaccess32.exe	83
PID 3780 wrote to memory of 2700	3780	iaccess32.exe	83
PID 3780 wrote to memory of 2700	3780	iaccess32.exe	83

C:\Users\Admin\AppData\Local\Temp\096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\096823f8a85c1d6839cc4654923d99e8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:5048
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk

Filesize
2KB

MD5
6f45b2e1b500d55392eb6504d7c5646f

SHA1
e7bf4ca42ba17575e7af8216f0ce47e85dee6f2b

SHA256
b6a325e0d7434ba75354dd3d6804ed493afe4b250ced71d508da7fd1191b49ff

SHA512
8471c2ae698a5a766482bfd284b8708cfa6673a56e5665c26462730fb8bb4b6fc11b6516d6d389873d3f4291b2f30fd9690fa8e41f0b185f6b27618007f93f05

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20110112140106\dialerexe.ini

Filesize
668B

MD5
209c09f8bca7530ee5b95a3639a61ed4

SHA1
25ef4cfcc1210d242c7d62f27fdc8455aafe26fc

SHA256
e40e4b0f3e2cc48ee272f86d6f271ac35421f7a5f86d75deecd46308ebc0aa7b

SHA512
11fd43842a39c475d0bd9a0e06bd254ef9b07a0b0000049b97c10d3b2859525330aed8a6f229a7c1e3483817d817eba7c160b83157a547ec0a0dc7b8af72a732

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
67e17f6d7a535a2779c8ce01fb54f917

SHA1
f360e4e7ec1a711f68639e4e38bfb5185a167e4c

SHA256
ef0ff302d9c38b13240916f4c7b9677dba354f9033071f4e7f257d913faff7b1

SHA512
2014ba1b9ff7fc4fce894ab2840437d8897b2ddb815fd7d05cb6ef019025bb8da6ebaa7164374252ccba9b6c1b658fecf8716a26b45dc25ecd29b2d86f9994d1

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/2700-29-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/2708-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2708-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3780-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3780-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing