1bc5a2cda8d440502c14ec8ac7dd37ae152beef48be8a72b47b56d8a90aba70d

General

Target

46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe
Size

651KB
MD5

46646ab07d603284ff59a39b81e8f232
SHA1

01b7948875e0e730bfa76d10d206b8e66da24249
SHA256

1bc5a2cda8d440502c14ec8ac7dd37ae152beef48be8a72b47b56d8a90aba70d
SHA512

55db2f2184a4b217c079c54897cb66fdc3cbe87bbc5182d3752bad852f1108171ea602cf116c2b1b80fc84823ce8a2f660f13fe8ee6633ebfe688f9f51d8fb43
SSDEEP

12288:HThVMOJixo0WyE+vckSd0vZ9StyCPY/m0Rjnl:HTxiWSvcf+/F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	InstallHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe
2812	InstallHelper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTServiceManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe"	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AB79D3B4-AEDB-428a-B504-BAC00521A1C7}	InstallHelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AB79D3B4-AEDB-428a-B504-BAC00521A1C7}\DisplayName = "google-feed.net"	InstallHelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AB79D3B4-AEDB-428a-B504-BAC00521A1C7}\URL = "http://www.smartwebsearch.net/index.php?from=4&q={searchTerms}"	InstallHelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{AB79D3B4-AEDB-428a-B504-BAC00521A1C7}"	InstallHelper.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.smartwebsearch.net/index.php?from=3"	InstallHelper.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2812	2232	46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46646ab07d603284ff59a39b81e8f232_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\InstallHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallHelper.exe" -all
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.dat

Filesize
59KB

MD5
4fdfb8758684503395d366311ca20a81

SHA1
e7025abab125664592d1b091c17d33e2f4c49af2

SHA256
d14de42e0f549ede67752eec5a6abeed65cfef7899a1f18475d40f4f6ed27f1b

SHA512
06d3c5268507f579d838ccad981166e70408e7ade1168a25287ba9c88fade6d9a871a6bbf59184cff1fcd63484e8bdc9abd1a7d8ed64e491c0357a5ca4193f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDW\BSP.txt

Filesize
438B

MD5
99b80b52cd88dedb0618f0eaa7fd6050

SHA1
e8ed4795241f59424193415d2cee8a4242aeb79e

SHA256
362222b5ff0031117757550c266fc82484e042d6f1a8eaf6ba876d7270a15dd8

SHA512
15f3c16a55f03c28f3d7705be38a6e9f5f4249fe38569a98841fe34305f850f3d92f0125183d914a0825142cfaff0014d384819fb26ec8ea26dd6e762e1777ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDW\InstallHelper.txt

Filesize
383B

MD5
8079e94fadee0d782319e22a38cd1864

SHA1
195d6158bf3b314d19786a9d1866c4036a3d8e7c

SHA256
92f7ae2596ec1dfec5126744d02cd89f238a4085da17f118e3fd69d128163114

SHA512
b7daf716601bd9f871f772619add805fbd3260cdef7c4d684340db15f537298ee24f32b48a8815491e6d845b705eab3e80525982b5e5f4a41e7a68ae8dbbe5e6

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserStartPage.dll

Filesize
98KB

MD5
f2935b82031b4ec6c94ecef768b964ea

SHA1
fbbb72c2841fc47f81da414db670642d5fc1da90

SHA256
5005edd7db43d336710e4ed3e54fe042d1fda3b5c61156b69685214439a60b8d

SHA512
1aa119a37d0a5a539674c570f02359172b73dd4aa10bad876feb71089e4754fd62f3f960ab60871948ca0ae450172b87213af31dc0d596ce84ff003d27ce02f6

Download Submit
\Users\Admin\AppData\Local\Temp\InstallHelper.exe

Filesize
277KB

MD5
27b004acae7c7bd12b9bb6d96a51bcd9

SHA1
b26ad838e4085e8b0eb5df6b61b607c9285ef382

SHA256
5eb1ab22d8fedb85b075c29e60421877a4a7e3a90c9df6ef6675293d249de332

SHA512
1556fcb7ad8aaa4c70c3e9bb51ba38319648f9c0a3d00c5be716f659113ae3635744359f9ec367970cc2356b3efce5ea955c5f97862f6016061c9b62c59c03c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads