6bd7a6db3b753b83466251378046f326a3e76404121e16959812c326a3a8712d

General

Target

38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe
Size

183KB
MD5

38e7786d7dda5cbeb1577bf87557d205
SHA1

c21ebb3e821deeec7dcea9550681844fcaf3fb29
SHA256

6bd7a6db3b753b83466251378046f326a3e76404121e16959812c326a3a8712d
SHA512

7a709047d428ed583d52e73b6505cde500e82cba125ae65221ed8fe46de5b4f2736b4b73a72a4e46d679131dbc90e78ac7bf075540834aafa9a8ad38c04e8465
SSDEEP

3072:EamFnQYUM6m3SP2sVSdEnfWZN3cbgonk9sX1qalYuhLJNdjQVVTuP5J85Vi9iqVt:Eazq3aipalYuhoao5sQkz1Rv6O

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234af-26.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3536-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000900000002344c-3.dat	upx
behavioral2/memory/2948-5-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3536-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x00070000000234af-26.dat	upx
behavioral2/memory/2948-57-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\medias\p2e_2_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110128140114\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128140114\medias\p2e_1_3.gif	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\IESettingSync	iaccess32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
4324	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3536	38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe
2948	iaccess32.exe
2948	iaccess32.exe
2948	iaccess32.exe
2948	iaccess32.exe
2948	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 2948	3536	38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe	83
PID 3536 wrote to memory of 2948	3536	38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe	83
PID 3536 wrote to memory of 2948	3536	38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe	83
PID 2948 wrote to memory of 4324	2948	iaccess32.exe	87
PID 2948 wrote to memory of 4324	2948	iaccess32.exe	87
PID 2948 wrote to memory of 4324	2948	iaccess32.exe	87
PID 2948 wrote to memory of 3060	2948	iaccess32.exe	88
PID 2948 wrote to memory of 3060	2948	iaccess32.exe	88
PID 2948 wrote to memory of 3060	2948	iaccess32.exe	88

C:\Users\Admin\AppData\Local\Temp\38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38e7786d7dda5cbeb1577bf87557d205_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:4324
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20110128140114\dialerexe.ini

Filesize
668B

MD5
3be1e03a2c30d72c8302f723102251e5

SHA1
58767ae471dac9bffa75c98e492723b3f0736858

SHA256
50d8828f8c00c6b6ce071c5e86df01f8f64f9807f5ec8c8eed4bd11c019b2bb4

SHA512
62077f9f5b0125101f80139c09e6ec91e5666bd7d1a44042a72713ca721c688627ff5f1598875d82dde97c450b06365771063920044ed8f3595c8200e8f0f939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NOCREDITCARD.lnk

Filesize
2KB

MD5
3958c64424a68fc3c0898dbe80c5431f

SHA1
ce696e45602b857ee33ea4b536c38a0b5c6a284b

SHA256
9d167e7f280e8cc94b8792599a00dcfcefaf03db803293378461c278cdad0f9c

SHA512
729ee6d60f89937ed15ed969b1a6c3ae0ada687576241cebd91f91feef128dd1940594159b652edf6633fc07fd0442a2403455e619a327cdcf07380d8b471507

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
b9d1eeb825d1954c4f4087dd328d1a40

SHA1
199a18c824fb713f65c8962569c8a245523f4ce4

SHA256
cd8babd54febdd22a62b58413d9fa1b78d2191073cafb7b07b1d997ce74eb481

SHA512
8b168da9d48d65edd3a2c40103660f55414f6373b6e6ec6fa4937a062d5d7b180f239ea9d6e8ab22b27feb70a7cf0939d6c981c863080c33e919a3ee86649c71

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
183KB

MD5
ae85dd75b77f061fbb27f957fd8067a9

SHA1
f671f8ec3bd2779b0299779794441aa9f3607608

SHA256
c0bd73c5ed27a1cb6448d3536eaef9b05544e55b513dcd9d341fe17658e732b6

SHA512
3cc6a9f34d6b3ce4c03dff7a8699b2e9f9fa1fa6295f0b68c56089dafbe467da2858ce460ade72666a9906d6ce1e1a61c2b66cdc691c808e4d9e8c554be13a77

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/2948-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3536-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3536-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing