e62c8cd2f6c10bfd731dca630fdd4c8e3d5c9b391976f4402d08a4fe11c49c50

General

Target

3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe
Size

25KB
MD5

3ab1dec4931563c5724b855a1ca8748d
SHA1

acb012e2c454afdebc97924a6bbc935f24bdcde7
SHA256

e62c8cd2f6c10bfd731dca630fdd4c8e3d5c9b391976f4402d08a4fe11c49c50
SHA512

968b2000ae29c381dd5229f7f26fa7820727fd0d742ae872468ae355de0f824476e1ce753cbf5b657f4f9e7b55f2bd0e8faeafb4a6a1c4ef99a25b2df21a21a9
SSDEEP

384:zdj4sgLfWCGJY6O4DTGm4hEEZxgoZFNQsLFOwiC2wKsEaVh2O9h8CQO4Hej0EvO3:CO5y6O4D2hvZF6uVDEg2O9h3y8pvO4a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
544	1846741.tmp
3948	1572419169.tmp

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90252969d5d3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a00000000020000000000106600000001000020000000983f80cacd2779dd59a980fbb597e6c9b8ecef978ac3b6aba3f7425b8be42d1d000000000e80000000020000200000007b12decab3140eff3be5845938f06da35a4b5a7fa8c558ff7f8ec481fc047f8d20000000a6aede43bbe859798bffbf27ef5f53f3b31a6b347f6da65378cf1ac15e3d067640000000ff336b28445388b14b4bc2a50a66508312b868a94d851a9caed71094caa86d3badc0d89d3d53dbeb37124bb79a225a3573cdb72acece555d2c1f3d2d858b92f0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a00000000020000000000106600000001000020000000a5ec666b348a79e4d8a5c667ccabb9f6f4e5371cf9059cc6023e7946648705c4000000000e80000000020000200000002c4f2bd0a1ef7086f90ab8962f54750e4ae0fae7356145f156330464f7434e9d200000006e7fa0300df9b08ca181bb5ae3f0ac0821025b9565d625570ccef26e0c3358b340000000f23572e58deb89daef3b1eec20508f9d7aae6d2103f60979055df0b744fc6e3b95e4962b719f426fc385f468995bf5a2c3acb76834deef040e0f0e3d8f275375	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{93A908F8-3FC8-11EF-B355-4A319C7DE533} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06a2469d5d3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3076	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3076	iexplore.exe
3076	iexplore.exe
4824	IEXPLORE.EXE
4824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 544	444	3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe	84
PID 444 wrote to memory of 544	444	3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe	84
PID 444 wrote to memory of 544	444	3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe	84
PID 444 wrote to memory of 3948	444	3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe	87
PID 444 wrote to memory of 3948	444	3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe	87
PID 444 wrote to memory of 3948	444	3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe	87
PID 3076 wrote to memory of 4824	3076	iexplore.exe	90
PID 3076 wrote to memory of 4824	3076	iexplore.exe	90
PID 3076 wrote to memory of 4824	3076	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ab1dec4931563c5724b855a1ca8748d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:444
- C:\Users\Admin\AppData\Local\Temp\1846741.tmp
  "C:\Users\Admin\AppData\Local\Temp\1846741.tmp" "C:\Users\Admin\AppData\Local\Temp\265006334.tmp"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Users\Admin\AppData\Local\Temp\1572419169.tmp
  "C:\Users\Admin\AppData\Local\Temp\1572419169.tmp"
  2⤵
  - Executes dropped EXE
  PID:3948

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3076 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wtwvts8\imagestore.dat

Filesize
8KB

MD5
10a93357b3fffea2476b7064068eb313

SHA1
da6b12c9652489abebcef211a385e58102abfc31

SHA256
18cd627b70df0f0eb630ff551dd0498617a2dbb720eaa82df3f75a5694e00c31

SHA512
93b083ea5921164a4f857520e0d669bfb6345431457211d6d3ea31961e21a335a8def89cc840e9e86b9c0e065813c5217700e5ea5ac57f239291be2837cda990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1572419169.tmp

Filesize
11KB

MD5
89ac0ab758760063cfef626ce0ac92a4

SHA1
9998678f454a617789d25c1e7d58dfaf058e13be

SHA256
cb14ffc026b008e203dd1a5ed28a0ffc322fa32c170846d9485e5892554ce96c

SHA512
98d22e7f56b9662a117f409521bea73e3585b9b16f167dc1f1f01711c7dde1ea941d669ebfed993c925acf1c62e46f559bb61ebcf75451067620e9126ed47458

Download Submit
C:\Users\Admin\AppData\Local\Temp\1846741.tmp

Filesize
4KB

MD5
b7547f90ea7b2c21796d7a056c912f64

SHA1
7c67aab307aff97cf3e82119dfc3ffd3cf33f3e7

SHA256
3a31834ab501275479b980ae73ed339d00bce77cc7fd2846873f3145cc1ef359

SHA512
a334590f2ec1797b71121eb404c6ee32544ab0f7c2384f1939c1ab5671e971693162c876753d2a7286c0f600411769520b0fd2f99c5162000e7857f9ed17359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\265006334.tmp

Filesize
512B

MD5
bb1f3e8cdd2cff98df9f610b9bd6ed0a

SHA1
7b32463044a509c76cb132bfdea3752c7398292b

SHA256
58cfb4141d2b48eeaad6cf49f380c5f7c6e928e837b8f9027e5b5c557a2700f0

SHA512
e819822f3bd7a2b16ca41b90f0c4d69407df45df113e7ff6176108d00c567e9f3fc977910f6bb260c31e16b7e63e592e19f6e0fa1ecc531d582e4c312d89edfb

Download Submit

Analysis

Sharing