88ee5c3f7b20dbf878cec805b1b2039b2348c084025863f50bed36501cdff3fb

General

Target

633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe
Size

183KB
MD5

633610e0015c2c6b6431092a670c171c
SHA1

dd59224add23f28d4ef8fe5d51635a91217c769f
SHA256

88ee5c3f7b20dbf878cec805b1b2039b2348c084025863f50bed36501cdff3fb
SHA512

8d5ba6f022b44599e3fc22018d5bce0bb9729624ee977ca64212d7de52e28fc7905a54aca18020b5762bd8dd9c744b0dcbf89f556d9d68dd64bd6772082189b3
SSDEEP

3072:EamFnQYUM6m3SP2sVSdEnfWZN3cbgonk9sX1qalYuhLJNdjQVVTuP5J85Vi9iqVu:Eazq3aipalYuhoao5sQkzi

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023485-27.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
408	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
1440	regsvr32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x0009000000023418-3.dat	upx
behavioral2/memory/2916-5-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/408-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x0007000000023485-27.dat	upx
behavioral2/memory/1440-28-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral2/memory/408-71-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e_1_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110202140209\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110202140209\instant access.exe	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\IESettingSync	iaccess32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
2968	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2916	633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe
408	iaccess32.exe
408	iaccess32.exe
408	iaccess32.exe
408	iaccess32.exe
408	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 408	2916	633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe	84
PID 2916 wrote to memory of 408	2916	633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe	84
PID 2916 wrote to memory of 408	2916	633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe	84
PID 408 wrote to memory of 2968	408	iaccess32.exe	86
PID 408 wrote to memory of 2968	408	iaccess32.exe	86
PID 408 wrote to memory of 2968	408	iaccess32.exe	86
PID 408 wrote to memory of 1440	408	iaccess32.exe	87
PID 408 wrote to memory of 1440	408	iaccess32.exe	87
PID 408 wrote to memory of 1440	408	iaccess32.exe	87

C:\Users\Admin\AppData\Local\Temp\633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\633610e0015c2c6b6431092a670c171c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:2968
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk

Filesize
2KB

MD5
97950db3c11f1de5e4101c8023ee2dee

SHA1
88794292af93b97e45c1194c9098062215097e0a

SHA256
606c3f274a7bbe8022d2dbdb97e9c74c20d2ee4c81e8147e7c1a385f36ecf6ab

SHA512
c046a2d4f6e8378a1916e6dd01f80c5825767829495016c1048881a99f57fa1edfa6109382719b91293b0eefb21d483269f291ce703db019693a1f89e243ae76

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20110202140209\Common\module.php

Filesize
5KB

MD5
494fc453a34c20987a0bfaea84b730f0

SHA1
7c932ff0b15bdc72b977a6cc0c6c1a214781d783

SHA256
ace24c05bd895cbeffb6a3af252eb081ede24e39a96bc3ac801003da169dac81

SHA512
d99225c99c6d71be59c85d784637206c3e0fd161e3d0051eead92bd6548c85d8f9fb30c4b2644c38082091f6b97d82e79a74ea3e8ba3debd6a91e5a07f2eee07

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20110202140209\dialerexe.ini

Filesize
694B

MD5
62fe1bc504386ef274a53c920dcab2df

SHA1
a50add19e5a9f738fa6ef11e407302a4c9370513

SHA256
1970f87e540904c72b2dfadaa95a9ce303c4a809d3be330629efe3f0f794b8f3

SHA512
4e9ad2b760378e368284dfe35cdc35fe1a5613584dbddaad120df64779bfbfc848ce9b5ffc2c370da34e165478f3ab9335b4b4789987fced84d3501aabf05047

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20110202140209\medias\p2e.ico

Filesize
766B

MD5
d458cbc6440e490ab1b175806b3f6aa3

SHA1
e2a30e34b9dea7b0fbe30b5bac7f26932cda12dc

SHA256
218eef51d18305b76ba38b8f3db2cf04d085d69b93dbd37a5fa62579b5c46197

SHA512
3138f2cd5e6e1e63feb2e5f00a75b7d2490df4eeeef1a5e4c5e7161253969c1136fe16f914e1daf0320649a4934c670eafb5cdc5b2cc542bc8290361cb4dcadb

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
bfebf2d671929fe2f2bb3d6fc204dbcd

SHA1
93e9a3517d059a8f5e0ebdf96abd75794b3a2903

SHA256
7092aa5ca93a86a73157a19a76bf6c08f8be16a987f0f00a9d6118cd6445db24

SHA512
0424f7e4fb5e15bbd71ed05b701d0c7e0f241ca7179d6a2d3d92e5d11a67390015ad8cc31d6e7f1ef57160171f3cd3838812d1ee04f14256be2db9c81f268552

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
183KB

MD5
6ad896ff91c54ad39189f10240415209

SHA1
af643da67169179488d59f82f8f60687ae2d32c5

SHA256
bb332d9adb3eb02e8f17e7410db47a9027aafcc2643e58c1f73107fd8d5c98d6

SHA512
f918c7a69900ba1cbf369a98cb672a7cfe26d4a584b75f0542e8c85ae40ad98532a4595b14edccee15b9dade74a951024de93c6d1a2363d36c3783c1fd947060

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/408-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/408-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1440-28-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/2916-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2916-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing