f28c793f683ba6deee7510b60f0a5e90830df59d81d10907c6bdbd08e3d5136b

General

Target

0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe
Size

2.8MB
MD5

0cc7aea12dcb1c719c281c186fe53e4c
SHA1

48a02d6a917523716e17becc95b6b449d50ceffb
SHA256

f28c793f683ba6deee7510b60f0a5e90830df59d81d10907c6bdbd08e3d5136b
SHA512

b50072a50895f8e74ed587dfb16bd43b0a3ccf3b24304d6c6e052fb1d30a1af34d793424501ffb72bd701f9b2c9ac1fa1014d966a851fc9d5882fe06fc442d92
SSDEEP

49152:Kh+Iy6ausuSc41msMQ/FwZcG+cpWgyJD9hixDHopctc+kMUeoW:KEIy6ak4MCM+8pKbi1H4hMUg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2552	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	autorun.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	autorun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	autorun.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	autorun.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	autorun.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	autorun.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2552	autorun.exe
2552	autorun.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2552	autorun.exe
2552	autorun.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe
2552	autorun.exe
2552	autorun.exe
2552	autorun.exe
2552	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 2552	1044	0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\0cc7aea12dcb1c719c281c186fe53e4c_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\NOD32.png

Filesize
72KB

MD5
be0fbff8e9330f29d06daa16fa6532ac

SHA1
005f4e11c3d5079a1eb7d2cdd0853211d6fe7369

SHA256
55bb257a5f110e3ed5218bf3ac0e785277c3918bc9ab58400fa7dc5fce48d945

SHA512
f36f039ab64069fbda4ce0aa81ebf956a4ca7644025d363b6a619d9911e9a3eeb1acc6bc254d3a1423a62cbe2fb213218998f3053ddd2f569c3929c0a2e7c8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\update-button.png

Filesize
936B

MD5
410a51d506e46d96977ba17c0d62fc08

SHA1
222f975f927ebcf9c6a0763b7abb71dd245ffffa

SHA256
3507817bbcb56505a9e74d9e9513451d9f239a41e1c321cc9dee0cb238f6e5ff

SHA512
316ec8cfa968fa53b93ba510b8f7ef8fa6049ab9b441f0b96bff3e574b43090a42b4da3d0336c86a20103b1f7f2798dd8cad0cc6117cca713c272b24a632f71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
11KB

MD5
0a5d1f6f364140063684926b508d272f

SHA1
8299a808f3a5058a22029e78b8f2fea2fa312002

SHA256
6b2b2640881482a70ef8ab5e5f5ff54157269863612b1154df028f5cc62ea4e4

SHA512
374448710b772612969963a122b11be19392e08fa12c3c329f7a95a5ec24f234782ae9e0e9254dff17f25a271714d716a15214d4b69e923759afa9723c6403ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\x.ico

Filesize
97KB

MD5
7d53a14e6220cf0fbdb3b204c2a4064f

SHA1
c649d6e14d28a085bd153600cd4fe602e7ae071f

SHA256
9c7157762ee5f5643f00073d47b795807173efcfa282928747e3c9413906a7b4

SHA512
5be3d44daf663f8057e0c6154ed4e43d6b0406a75ee6f3b994b6c56a1a3d158d92e546614bf06490038726a74c6b1fe3e3c983ddb6313e79e4773b9b9dec5cc2

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.8MB

MD5
78f01d099d2b759d2936c58f8005cbbe

SHA1
6996af950e4d6bb6fd2aa0af5cafae8af1d8c97a

SHA256
ffa740e17c4dac2cb65bf8d3e931992c73cf373a1203713d1743e247254f0fa6

SHA512
e92cba8948983db09acba445de04cbfd081854f3b468dcd102db8e67f89e94ead01fa1961ed823e1479b78e83cb005e22137dc98282abca019358d81fc3d45b9

Download Submit
memory/1044-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1044-127-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads