9f610272cc71de34597dd5dc583f18ff2c688f1205e6a1231b7640ae074a1fb9

General

Target

5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
Size

9.7MB
MD5

5c77f9e33d2786114a77cff22a3e144b
SHA1

ece989b1a0e0641aac9ef5a792e4fb8f4b0fe049
SHA256

9f610272cc71de34597dd5dc583f18ff2c688f1205e6a1231b7640ae074a1fb9
SHA512

048227c034d4b68e60a4fc43ee1a083d82bc802078b416cf1ba9e847406cee383f8f58c484dec014ed51928291a5456f40dd04ea92e2be1786df209ec1323634
SSDEEP

196608:3kWq069PtbRxBrTPx+S1sDVJs7ZRy6gh/j3PIh7aYoK5zIM0O3aj5a0l08Z4L19V:xq069PtbRxt7MIf7ZMzIh7J5zOMklfKp

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023478-55.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
3888	setup.exe
1312	MegaDecoder_ver1.6322.0.exe
3996	scan.exe
2008	setup.tmp
4936	silent.exe

Loads dropped DLL 2 IoCs

pid	Process
4936	silent.exe
4936	silent.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002346d-39.dat	upx
behavioral2/memory/4936-47-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x000a000000023478-55.dat	upx
behavioral2/memory/4936-57-0x0000000002050000-0x000000000208F000-memory.dmp	upx
behavioral2/memory/4936-58-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4936-60-0x0000000002050000-0x000000000208F000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD928B11-BCC2-4408-8902-E8722B2A3F34}	silent.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\setup.exe	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3352	3996	WerFault.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD928B11-BCC2-4408-8902-E8722B2A3F34}\InprocServer32	silent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	silent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	silent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD928B11-BCC2-4408-8902-E8722B2A3F34}	silent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD928B11-BCC2-4408-8902-E8722B2A3F34}\InprocServer32\ = "C:\\Windows\\SysWow64\\bcryp.dll"	silent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD928B11-BCC2-4408-8902-E8722B2A3F34}\InprocServer32\ThreadingModel = "apartment"	silent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4936	silent.exe
4936	silent.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3888	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	86
PID 3140 wrote to memory of 3888	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	86
PID 3140 wrote to memory of 3888	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	86
PID 3140 wrote to memory of 1312	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	88
PID 3140 wrote to memory of 1312	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	88
PID 3140 wrote to memory of 1312	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	88
PID 3140 wrote to memory of 3996	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	89
PID 3140 wrote to memory of 3996	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	89
PID 3140 wrote to memory of 3996	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	89
PID 3888 wrote to memory of 2008	3888	setup.exe	90
PID 3888 wrote to memory of 2008	3888	setup.exe	90
PID 3888 wrote to memory of 2008	3888	setup.exe	90
PID 3140 wrote to memory of 4936	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	92
PID 3140 wrote to memory of 4936	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	92
PID 3140 wrote to memory of 4936	3140	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\setup.exe
  "C:\Windows\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\is-JSDEI.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JSDEI.tmp\setup.tmp" /SL5="$701EA,9475680,49152,C:\Windows\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2008
- C:\Users\Admin\AppData\Local\Temp\MegaDecoder_ver1.6322.0.exe
  "C:\Users\Admin\AppData\Local\Temp\MegaDecoder_ver1.6322.0.exe"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Users\Admin\AppData\Local\Temp\scan.exe
  "C:\Users\Admin\AppData\Local\Temp\scan.exe"
  2⤵
  - Executes dropped EXE
  PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 312
    3⤵
    - Program crash
    PID:3352
- C:\Users\Admin\AppData\Local\Temp\silent.exe
  "C:\Users\Admin\AppData\Local\Temp\silent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3996 -ip 3996
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MegaDecoder_ver1.6322.0.exe

Filesize
60KB

MD5
62cf667fd67cd22bc7f3a2ea418055a4

SHA1
cf12d73657edd3a7c2bdfebecb5baeeea8c82ed9

SHA256
b847caf14be8ae12e362ef2eb603907ebb88b94a200ed061c48de9c270484e84

SHA512
b87306b8f1dc3a5f0250c415c84e9ad0729c79a946c1d505b0a77948c425af03ba26c1e84ad7fa123519e3c75f4cfe9b6acfa812c41a4e49a8e7b2c548aaf553

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSDEI.tmp\setup.tmp

Filesize
665KB

MD5
1e9793373762239a4bc032b00aa953b7

SHA1
ea5a7cf198f0265fb670756daad3b555d34823e3

SHA256
60035136dc5d2e21b9060a4e6618193b0bcfd99c950dafc6749259f40e14ef2e

SHA512
639bb90227b3a2d5e91a8cc540d8d6daa893495b97c0149f573be7ad5ebb7fa0a0887b7dc1d3e724dbbae5fb05a03acc9e06e0a6a2077c51eaf3c1657484c3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scan.exe

Filesize
182KB

MD5
3f4003f42cb84f47d31c6f4df3ba984c

SHA1
9eb46635bebd9957d4e71051401865a071751dc8

SHA256
3057e6352174caa26fe7bb1136bbf7f4374f362f7d917c8eeca5eef64e79f9ba

SHA512
8fdc8c145c91a9bf30f076540628cfd9592acf8c80dc7ee96be71e54aeabbc3a1a249ad935c801bb551489a71735851e6726de2059968f22ea78e88dcd6994ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\silent.exe

Filesize
118KB

MD5
1aab9752fe77b92c95961f1806b515d1

SHA1
c6055e9b839166c25555c601d375dac9b3e66404

SHA256
ef3af4903b9d7cd52e96df218ce478bb6cdb2e847a4c1c37879e3c4f3c47b7bb

SHA512
6bbba76a7b9abd8e6833be11e1e335dbf42842e1b7ed03f5334278aca08c697e02e1111cb78839559df7a9f6ed817c40c451cc1bc51e66d07368e676896d1d89

Download Submit
C:\Windows\SysWOW64\bcryp.dll

Filesize
91KB

MD5
b8383252f4d62af7d422b7cca1f956e3

SHA1
54996425ec9edc0f73f47928ab257ebe00e1a51a

SHA256
a223b0977bb2097af28963b0fe2392dca5c2f3ba1333626fa68a45d7a257aadc

SHA512
8125ca13810443308bca172ec9448fbc4cc2148e233f26b18b8f40b7003c4e997f28f004673882dbfdf57fc0730ffb1e11d669f1774d4322d9eca9ea3008efa1

Download Submit
C:\Windows\setup.exe

Filesize
9.3MB

MD5
5324acf8f04891980bb60c7d192c92c8

SHA1
63473f8cd901de4162aea385b90470afaae680e3

SHA256
1a2e5ed4d4ebce63230b5487c927ee9b01542e997dd6fe3ba1aac965af3cbbce

SHA512
3f45eb9ea9c8dd43bc9a27e600bd3a6e04c67ce2e08fa761fa5301f678e640c0595d250a49dfde77847e808339b774dd535f11d5a9d80e21a036fd3e079c17fa

Download Submit
memory/2008-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3140-48-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/3140-1-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/3888-19-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3888-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3888-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3996-33-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4936-47-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4936-57-0x0000000002050000-0x000000000208F000-memory.dmp

Filesize
252KB

Download
memory/4936-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4936-60-0x0000000002050000-0x000000000208F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing