57e3821ad5804c3547bd92afd38084ed64da007e8d205fa6a7f7aeaafa156862

General

Target

1c353ba1bf7ec7594e57873c264fbdb2_JaffaCakes118.exe
Size

150KB
MD5

1c353ba1bf7ec7594e57873c264fbdb2
SHA1

d0c175286cca03add25071d5d64b50ab8b5a7e1e
SHA256

57e3821ad5804c3547bd92afd38084ed64da007e8d205fa6a7f7aeaafa156862
SHA512

8129260bea7759623651eeec00ee361cfec18b8aff3968ef9f5cb24480353b3e3aec8db221e8b0a7416d954a68d13df0f63b03b4cbe323ea40ea9618e24d6a98
SSDEEP

3072:JZMJnTeM4cJJmLzeRfx6qlhs9uH4xfTMAiCAMH4i8G39kq4FtbzOtXuQXMmwIP4y:3eTeM/8zepx6qfh4xfYbCAE4i8G39g/s

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5411C85-37DF-11EF-BCA5-5AA21198C1D4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a617d8eccbda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000006dabcdb7c7170619d464c5cac827c77ef6b85e44a7b11aa77445e06344cfae83000000000e8000000002000020000000f4f21735ea17e621212a6ec09b1b269053403eed2bc44ce951f760a9442fcec2200000007cf324136097964033f6025a510c0e4b4cac317f3259754eeb2f798efeaef2774000000048ab4dc3dd29f9fc4df6b66cc89068dc8a994287c7c739a59164e0ada421ff30971dc1383c41df3169f75e1b9bb341fc1daa87230f7ae5c9ae8965d0f7a43d03	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0eb12d8eccbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a41500000000020000000000106600000001000020000000ecdf756d515cebf31069a0eb47ddbe6b945d857a987a6728d4a03b83d719d045000000000e8000000002000020000000043b1a3a77e0a97021cefb9b46a8f84958993896c73a6da539320abeefdcf1aa200000009724506e8de7499e2c6505eedda3d27676a7934c65010c6c6108a515f929127640000000087f7e40f0953b47d349c1877a967dea458c1a6cbe33724d0bb8551cf33d08329e2c5bc8c0159941dd1b080489055e5d921c9b9ce97722089601cdb9934a0a1d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426023928"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3452	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3452	iexplore.exe
3452	iexplore.exe
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3452	3404	1c353ba1bf7ec7594e57873c264fbdb2_JaffaCakes118.exe	80
PID 3404 wrote to memory of 3452	3404	1c353ba1bf7ec7594e57873c264fbdb2_JaffaCakes118.exe	80
PID 3452 wrote to memory of 4980	3452	iexplore.exe	81
PID 3452 wrote to memory of 4980	3452	iexplore.exe	81
PID 3452 wrote to memory of 4980	3452	iexplore.exe	81

C:\Users\Admin\AppData\Local\Temp\1c353ba1bf7ec7594e57873c264fbdb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c353ba1bf7ec7594e57873c264fbdb2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.819ic.com/?e
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3452 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads