f3763ecfc43bf030eea7428843bcd6a2767c65884b3ca8f44097441ce0d8d8df

General

Target

81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe
Size

123KB
MD5

81c715ac916b7a3dc2de6e37bfd7542a
SHA1

65e77e69ae94b92c32740002c6b8f69aa314e838
SHA256

f3763ecfc43bf030eea7428843bcd6a2767c65884b3ca8f44097441ce0d8d8df
SHA512

056b934e3020ccb6087be8d6ffaccd4e530b70a39e17d3256b2fcbcb5368ab65ff6e93452b6ed605ef932a4fb08a6743877bc6671ed424db55417c65fad8c108
SSDEEP

3072:ueSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLAjmZd:uVYrJrOSsRwcpSa

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group"	iaccess32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016dcf-30.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2044	iaccess32.exe

Loads dropped DLL 3 IoCs

pid	Process
2872	regsvr32.exe
2044	iaccess32.exe
2044	iaccess32.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1332-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000a00000001202b-5.dat	upx
behavioral1/memory/1332-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0006000000016dcf-30.dat	upx
behavioral1/memory/2872-32-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral1/memory/2044-86-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-87-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-88-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-91-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-92-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-93-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-94-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-95-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-96-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-97-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-98-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-99-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-100-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-101-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2044-102-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e.ico	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110120190118\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\instant access.exe	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120190118\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaccess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
2432	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1332	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe
2044	iaccess32.exe
2044	iaccess32.exe
2044	iaccess32.exe
2044	iaccess32.exe
2044	iaccess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2044	1332	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe	30
PID 1332 wrote to memory of 2044	1332	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe	30
PID 1332 wrote to memory of 2044	1332	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe	30
PID 1332 wrote to memory of 2044	1332	81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2432	2044	iaccess32.exe	31
PID 2044 wrote to memory of 2432	2044	iaccess32.exe	31
PID 2044 wrote to memory of 2432	2044	iaccess32.exe	31
PID 2044 wrote to memory of 2432	2044	iaccess32.exe	31
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32
PID 2044 wrote to memory of 2872	2044	iaccess32.exe	32

C:\Users\Admin\AppData\Local\Temp\81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c715ac916b7a3dc2de6e37bfd7542a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:2432
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20110120190118\Common\module.php

Filesize
5KB

MD5
59581fef1b59bedf855152d7971c442b

SHA1
6a2703613e4e7affda003e1341742879fe1aefca

SHA256
aff91231011d286a4a47aee81a0bea52034fad8d1192d24b2167ceee4ca90796

SHA512
f759e065ffb87a8261e31a0c4537c1ede683cd8e77e11525b94d0e304965c1a331b966812d8b2b645dee5558e44ccd47817b73602170358635cd371c3638cfcc

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20110120190118\dialerexe.ini

Filesize
694B

MD5
f99eee51a8969758c6fc54ecbdeffcee

SHA1
815bc9809b1096704fd56d925885ab8473a4f48d

SHA256
73d4e06a164c229e72249892721ef63a2130c0533795daacf222edbd834f9cca

SHA512
be98f2bd92f14c3d4edf2ebd15a682e6af492ca5c6a5a0a528fe43e51026281a0cba2f5eadbb968d29042d571b1f1020b522863dba9d3b15789a2184d2ee9dfe

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20110120190118\medias\p2e.ico

Filesize
766B

MD5
d458cbc6440e490ab1b175806b3f6aa3

SHA1
e2a30e34b9dea7b0fbe30b5bac7f26932cda12dc

SHA256
218eef51d18305b76ba38b8f3db2cf04d085d69b93dbd37a5fa62579b5c46197

SHA512
3138f2cd5e6e1e63feb2e5f00a75b7d2490df4eeeef1a5e4c5e7161253969c1136fe16f914e1daf0320649a4934c670eafb5cdc5b2cc542bc8290361cb4dcadb

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
fcb75dd99d1e786ae999696ed3049593

SHA1
ce49769aeca0e7f012a4c122a615d8a85c92b3dc

SHA256
d2024e48cbbe7edf884e486e24caebf9d653dee8799729aca57f01bd45afe074

SHA512
60d4783ef20e67e09bae06f3ff75c03260db12692b9f3d24a3f72cc5ea3899b1c31c76ede98ae7bf3749595b5e5148e64f6ed72a36ad4a8a3d2b88048407d6a0

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
dee985b503ab6bb46406a6c712d86548

SHA1
56b3c05c226fa5168d4417580d290eb2a6e86ff7

SHA256
a27b37212ddefb6b4089a9f11cc67667692a771d46de3296a2ba8c751b0d1c4a

SHA512
6d2249eeb54fed42d970b3d2cc15ca6ae2b871b2d67078571c32d812b0d49b6b338d320578bbde844812c676caa44a0de07a1b39ec06443ecef35af2ea7bfeee

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/1332-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1332-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-92-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-46-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/2044-102-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-88-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-89-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/2044-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-56-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/2044-93-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-94-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-95-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-97-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-98-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-99-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-100-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-101-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2872-32-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing