40dea3ae54da751488888efda293c8bda080bb824a63ee17e9b1a07d94021119

General

Target

186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Size

115KB
MD5

186617fa57a274d3e1b8bcda2cf2bd24
SHA1

e47765df2909fb9b268c46ec55afc5a49de7933b
SHA256

40dea3ae54da751488888efda293c8bda080bb824a63ee17e9b1a07d94021119
SHA512

ccedc5693794be3a050db2934a397e23015bf517ba774904b0f3d7436a7cffc636c152452a56eff3095a0b93bee6f5ee77aebff0cb136ee471f2e80f7e354ba4
SSDEEP

3072:WqvI+koqAof1yD+wlsyi0NXcaTW7NrDcY3H+5rZAS9:p5k/krTiEca1vQ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
932	2180	WerFault.exe	80

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CustomizeSearch = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SearchURL = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\CustomizeSearch = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Live Search"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\searchassistant = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\searchassistant = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\First Home Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\default_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search_page_url = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.6006.cc/Search?q={searchTerms}"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.6006.cc/Search?q={searchTerms}"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\SearchURL = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Live Search"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.6006.cc/?safe"	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Open	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\Open	186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\186617fa57a274d3e1b8bcda2cf2bd24_JaffaCakes118.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:2180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 460
  2⤵
  - Program crash
  PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2180 -ip 2180
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads