40dea3ae54da751488888efda293c8bda080bb824a63ee17e9b1a07d94021119

General

Target

186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Size

115KB
MD5

186617fa57a274d3e1b8bcda2cf2bd24
SHA1

e47765df2909fb9b268c46ec55afc5a49de7933b
SHA256

40dea3ae54da751488888efda293c8bda080bb824a63ee17e9b1a07d94021119
SHA512

ccedc5693794be3a050db2934a397e23015bf517ba774904b0f3d7436a7cffc636c152452a56eff3095a0b93bee6f5ee77aebff0cb136ee471f2e80f7e354ba4
SSDEEP

3072:WqvI+koqAof1yD+wlsyi0NXcaTW7NrDcY3H+5rZAS9:p5k/krTiEca1vQ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2164	756	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.6006.cc/Search?q={searchTerms}"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\default_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SearchURL = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Live Search"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\searchassistant = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\searchassistant = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\CustomizeSearch = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.6006.cc/Search?q={searchTerms}"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CustomizeSearch = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\SearchURL = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Live Search"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window Title = "Microsoft Internet Explorer"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Open	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\Open	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2164	756	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe	28
PID 756 wrote to memory of 2164	756	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe	28
PID 756 wrote to memory of 2164	756	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe	28
PID 756 wrote to memory of 2164	756	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 208
  2⤵
  - Program crash
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads