d1c850e34e72c0830dd94cd5508ce0da83ab2b78418b09a275b49d625f1ea929

General

Target

3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe
Size

16.7MB
MD5

3bb0f7981eec323c71d13fddaf2f3252
SHA1

0a934099df4a0f2f8456a3b73312fe3da8973b61
SHA256

d1c850e34e72c0830dd94cd5508ce0da83ab2b78418b09a275b49d625f1ea929
SHA512

54b73d0581beefe790a57416231237871df2ae0f609fffe16c42747b91adfb1370c3c1111dddc5f95a9a2cb6668ad4304c564bcf3127194cc2deaa3788854b62
SSDEEP

393216:ClEsSLEvRalRoAHTq3WeafHlkUs3GTpgjWb4tVr:CzSLEvRao+TqpcSUDJb4n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2776	IE7-Setup.exe
2896	iesetup.exe

Loads dropped DLL 4 IoCs

pid	Process
660	cmd.exe
2776	IE7-Setup.exe
2776	IE7-Setup.exe
2896	iesetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ie7_main.log	iesetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2896	iesetup.exe
Token: SeRestorePrivilege	2896	iesetup.exe
Token: SeRestorePrivilege	2896	iesetup.exe
Token: SeRestorePrivilege	2896	iesetup.exe
Token: SeRestorePrivilege	2896	iesetup.exe
Token: SeRestorePrivilege	2896	iesetup.exe
Token: SeRestorePrivilege	2896	iesetup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 448 wrote to memory of 660	448	3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe	29
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 660 wrote to memory of 2776	660	cmd.exe	31
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32
PID 2776 wrote to memory of 2896	2776	IE7-Setup.exe	32

C:\Users\Admin\AppData\Local\Temp\3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bb0f7981eec323c71d13fddaf2f3252_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IE7Setup.cmd
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IE7-Setup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IE7-Setup.exe /ieak-full:C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - \??\c:\ee85375314117d45eed75585ae821d\update\iesetup.exe
      c:\ee85375314117d45eed75585ae821d\update\iesetup.exe /ieak-full:C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IE7Setup.cmd

Filesize
38B

MD5
eacfba0f41773ef761e90eb8c9a11e63

SHA1
49f22ce5fb3840c105782c7706c42c7c5b4c9bc1

SHA256
d98a03911d76264348aeefdedcc90fdc9e8e6037eedf8938dc600336fc37e010

SHA512
5621bfbb3ad5289364aa18f2de45866c4f005fdafba2480b6630b319f6493aff448466624a4ff65ed19ca1d78b87342318a17d69dc221012fe85a3f783aec221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ieakcust.dll

Filesize
30KB

MD5
d2e3250da7e8dde0f7cd6d16129373a7

SHA1
76b80d80ca795dea456a68c91279a7462b5dda06

SHA256
a542c2a9ce9d23f809a251acaa383c9ea26b11b219dfd32972b0b68a757f71b2

SHA512
984fd920c244f09c137b7099bf889b3736b3643796a5c0cd7e356384402c2868aaf5b771edaaa28d52bfb626908aa08b2adb714ef57dec6da9f8565f49d4f08f

Download Submit
\??\c:\ee85375314117d45eed75585ae821d\update\ie7.cat

Filesize
41KB

MD5
a512a719570f944dfddaffd09a030fe2

SHA1
6df261acbc9958cf79a55dfff79ea0b5fe4ec74f

SHA256
70b6f93b109b75755a664dffaf2a37a39f7965b89007c2c75cdfe2feca263dc2

SHA512
5d45594dbbfd0314ef100296429bee57e5ba66f463a19ca004bc09e9db6a77566b16b435761cf90939de1e84668e80eea878b1e4cc5ba04a507eb765b94e5760

Download Submit
\??\c:\ee85375314117d45eed75585ae821d\update\legitlibm.dll

Filesize
620KB

MD5
2ae9a778bc11027805f5ae0ac7c1e387

SHA1
570ee57195bfd68b217f3ffd63472c88a54b638c

SHA256
758c19ef12ac5bd420e03d3347fb2d4ddf00e15311e8cf55f9834d13eb3bbc35

SHA512
5ca4fa4650bd06123200a0612d6a44adde132ec81c92f3fbd2ed9ba2fdb381a929e3974e4c67a2a4f7533a7b81ffccbbbb1fdb78a0d0c8ee6dadc557af5b8c80

Download Submit
\??\c:\ee85375314117d45eed75585ae821d\update\update.inf

Filesize
1.5MB

MD5
7397ccae9d38447cf27a7ddd85cad09e

SHA1
b25a7da4552af253230659c2d7b12a2cd651cbed

SHA256
23b7ad0c0304a7c62650619f18d305c420e3d6c20c6b514221f974f488b71025

SHA512
27db64d915bcf4b1f12c5d9a8dbf124f113f8774049e2a7364e31c0e6f041d9bd67a38c3cec754bc552d8fb2e6f1000d42cc89037d0c261767de493f9954068a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\IE7-Setup.exe

Filesize
14.8MB

MD5
000e130a93f5d9edf1420600b3f7caa3

SHA1
c5ea0d7c516786ef8c2690234c230e99fab0eaa0

SHA256
0694d29c855fdd3ac7c7b8c0965939dbac44a9717e1e3854258274808d119775

SHA512
52940c9132eef47fa84ab1f2d58bd820570f462df7a2cd957c6c9248b5e32b98ec6afb938f9e5293029ed1cf5287438dd5d9eda90397a54ea124245b6d26aab1

Download Submit
\ee85375314117d45eed75585ae821d\update\iesetup.exe

Filesize
1.1MB

MD5
725e11395335acea12875d11af71139f

SHA1
07b7c879132cfa16dc56e8b64a71f33bde131e54

SHA256
9f32b1281efe31fcf29a0c816dbfda95e5a623843257c690ab8958ae7c9acb73

SHA512
564c679e096f2ba7d87579170e989202627c2384f96dc1c7e9c85d871a30f49a08b99fb7c00b5fd7d0179559e71c992d32518ffb1f2147a927c9e5e2be87fb8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads