4dab3739f92f34123d669d0f131e4901ec3c604aea15718eaf5e48b68f356869

General

Target

30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
Size

32KB
MD5

30e61aa650a4f1c3a0a1b0130a7842be
SHA1

acf7a79d6dca994e90c83a09d7aeded2fa775546
SHA256

4dab3739f92f34123d669d0f131e4901ec3c604aea15718eaf5e48b68f356869
SHA512

99a29467db80ced7b5c6bc6e76fb433e10a2e422deae02dea79acbeeb0db2d7f05dbefc5633a1e81bdfe44502b62593184d676b80e4045686aa109a3fa3696de
SSDEEP

768:nMhcSTtl/03UfpbXBbJKbYKrY3Jdohy8+C9owHTYWPlO89T8nL:NSBkUhYYKrhh4/nQ8L

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo bgdjdn = "electronic-group"	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4240-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/files/0x00090000000234fd-33.dat	upx
behavioral2/memory/4240-44-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LiveStream\img\dialerxxx.ico	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Program Files (x86)\LiveStream\dialerexe.ini	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LiveStream\dialerexe.ini	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Program Files (x86)\LiveStream\instant access.exe	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\LiveStream.lnk	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Center\LiveStream.lnk	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\LiveStream.lnk	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.epk	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Windows\dialerexe.ini	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Windows\egdhtm_pack.epk	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
File created	C:\Windows\dialexe.zl	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Microsoft\Internet Explorer\IESettingSync	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4240	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
4240	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
4240	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
4240	30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30e61aa650a4f1c3a0a1b0130a7842be_JaffaCakes118.exe"
1⤵
- Manipulates Digital Signatures
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\DesktopIcons\LiveStream.lnk

Filesize
1KB

MD5
f3033c4e1907b6561c4631c14f2473ec

SHA1
a66551928b857c7dd343a7b93f14a5cb63247808

SHA256
8327456f27cc4a2bd739cc9c83c935d5760e7741b7ebcc9b3ee8bd112ca74346

SHA512
9f39a12da40eaf5c7f7cdf4219ef70c6bec715ab01420a553056157b2935f69829ca61618a7b9bf6b1b628d250329a5b58df61bedeefbf8868bf6dcce628d149

Download Submit
C:\Program Files (x86)\LiveStream\dialerexe.ini

Filesize
522B

MD5
cadab9a78d3e07b61678edcd537f49cc

SHA1
43503c82d262a706d2f5af60aab082057f29dcc6

SHA256
fe59ed36c4ab71cd75e6bd14bd041b80e87504cf612683146d79494d7a596ec3

SHA512
b55c32f65f44276f0b31c1259344fcfeb5e373dc23e9b3c562475f877824f1c4beacf075a64a0608cd9ff42aaeb7a9ba33a0f98a152ca1820f40165547972f91

Download Submit
C:\Program Files (x86)\LiveStream\instant access.exe

Filesize
32KB

MD5
30e61aa650a4f1c3a0a1b0130a7842be

SHA1
acf7a79d6dca994e90c83a09d7aeded2fa775546

SHA256
4dab3739f92f34123d669d0f131e4901ec3c604aea15718eaf5e48b68f356869

SHA512
99a29467db80ced7b5c6bc6e76fb433e10a2e422deae02dea79acbeeb0db2d7f05dbefc5633a1e81bdfe44502b62593184d676b80e4045686aa109a3fa3696de

Download Submit
C:\Windows\Temp\offline.htm

Filesize
885B

MD5
029b8404b28819004a3d61a0e24ce8ee

SHA1
84bd4ed387557e72a16e769a7828e8eb60f689f9

SHA256
56903d911b5726050378e46158da9c40c29142b069a4f0d4476cbd7c9e33eca2

SHA512
2f4a94c198499288668b4281d1d7b7b1bf71f2fca0bca58f8b032cd12c6bb831dbbb06a717ee063a572fb195277a755d6a6274033d821885a2bd34c8421a6695

Download Submit
memory/4240-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4240-44-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing