c8314fe861a9939d09bebaf20f069ba64cd25a8a1809402ca36adf20d241f697

General

Target

36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
Size

660KB
MD5

36c24db1ed442d4b41c2b5e18e9d4639
SHA1

5d50d595373988b0344c23aecbf85a8010f3e4d2
SHA256

c8314fe861a9939d09bebaf20f069ba64cd25a8a1809402ca36adf20d241f697
SHA512

884034489e000b37da43bae941774f4902bd619c51a10cebf4bab8e1eeada210afd4d733469f8953491f6a177d0e21ef9a670f5bc1e2285e5eea62740ab28e70
SSDEEP

12288:tn7YS4Qn0ViVi9KHUxzJWuR0zzqhvTfv7Vp1cyeLfJAmjmOvKYTg:tnMRsiQ0T9skr7z1VeLpmktU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CineRak\CineRakComic\CineRakComic.ico	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
File created	C:\Program Files (x86)\CineRak\CineRakComic\ActivexDel.exe	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
File created	C:\Program Files (x86)\CineRak\CineRakComic\Uninstall.exe	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
File created	C:\Program Files (x86)\CineRak\CineRakComic\CineRakComicUpdater.exe	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.cinerak.com	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
Token: SeBackupPrivilege	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2744	2264	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
189a7361c5bf1ec9dbdfcde604a17068

SHA1
85646f4b6231c77bad25b96eb43421129e7cd432

SHA256
8e010684892ef7d6c86b06c434fc15895b128603cf81ae1971e519bac5f411c3

SHA512
28886cccdb56de8538d33c13ccf54fe63b36c7fc2f846b0ccafbf41e72c27026cc7fd4c2fb4f89e59fcd1441ed98ba17dbbeb085456968e3aa5d7be92df2c573

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FBF.tmp\DLLWeb.dll

Filesize
28KB

MD5
b382d6c8d5c6a437b2064d79b5dee47b

SHA1
f8f4eae50d59b3b94762b10984c1fdcf4c08ff47

SHA256
bdb051e1d7fd7b062341b8cb2efce180f2fbb83739fd2143262034be0f2396f3

SHA512
e6d604d18b28beb30c09d987472540306abd925048f58a3c99a4013d44b9f29112419ca15c1bb7ee1560300bf179f9e98dd7e6db75e5aeb0e44fba47ac2dcc99

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FBF.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3FBF.tmp\processes_second.dll

Filesize
140KB

MD5
f0a1eae66dd2f54fbe26c26db5493a6f

SHA1
46d56b4c6694da1ec4d88b0a5b153dad02b5dca7

SHA256
8fe4dad8f894bcdb9a83a9d302907de404695be4b50e619afd88f09d72583e69

SHA512
e1b3c946e90fc30b6cdf953c8c7e96121b462bf8529099e0587f7f243b9d73eeba52b510dd2598937f188f7a35bc1e3785b7589ec6c249996a5795c10dafd1e7

Download Submit

Analysis

Sharing