9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839

General

Target

2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
Size

239KB
MD5

2f76a9f80d9ff4d19798974fdc632718
SHA1

04c805d6f9ca9f9980ababd37cb94d12ff2d7bdd
SHA256

9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839
SHA512

1d775bd1a50ebb9a3818b071887a3e775071fd9be24d4d9f1abde7de321ebbd389127a11e5545ed3c9941cf8b618261de37cf7e97829fd930cda5141f73b943b
SSDEEP

3072:kXu/MVID9mJCQnj3WCW2EW5W656N38Mxis5A26BNNXOng:kjCVKhMPaRV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
288	wnenvideocap.exe
2952	bphwen.exe

Loads dropped DLL 10 IoCs

pid	Process
1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
288	wnenvideocap.exe
288	wnenvideocap.exe
288	wnenvideocap.exe
288	wnenvideocap.exe
288	wnenvideocap.exe
2952	bphwen.exe
2952	bphwen.exe
2952	bphwen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È"	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8"	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
288	wnenvideocap.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2952	bphwen.exe
2952	bphwen.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 1960 wrote to memory of 288	1960	2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe	30
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31
PID 288 wrote to memory of 2952	288	wnenvideocap.exe	31

C:\Users\Admin\AppData\Local\Temp\2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f76a9f80d9ff4d19798974fdc632718_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\nsjB55C.tmp\wnenvideocap.exe
  C:\Users\Admin\AppData\Local\Temp\nsjB55C.tmp\wnenvideocap.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Users\Admin\AppData\Local\Temp\bphwen.exe
    "C:\Users\Admin\AppData\Local\Temp\bphwen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\bphwen.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB55C.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
memory/288-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing