155b302a27a19c27abd6f05d61bfbb10c1f84f6d041a8bcf08ded01c93cd6324

General

Target

83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
Size

763KB
MD5

83278099da82d2de669cff6f0a6cd691
SHA1

f7a9b8f3ced2e04301d31e43b2f2a9e9d583bc4a
SHA256

155b302a27a19c27abd6f05d61bfbb10c1f84f6d041a8bcf08ded01c93cd6324
SHA512

4f98f2abcf8744b36fcc1e92c3df049ce8e5ddf5950f907c1917754c1f76511f06ed7c80563f7a9d7cc6cc70c85119b9013fad35655f23244c05a07be5043f3d
SSDEEP

12288:7v/E9Ot8RNxIR+7+AgiYJBDID/CLTAaQSk3cYtAPRcQy0XhnSdiMCsyc:7vsOtYNEo+AuzIzuvoRAPRcQy6tSUK/

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002350d-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3264	Dasdshi.exe

Loads dropped DLL 6 IoCs

pid	Process
4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
3264	Dasdshi.exe
3264	Dasdshi.exe
3264	Dasdshi.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002350d-4.dat	upx
behavioral2/memory/4860-5-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/3264-25-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/4860-35-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/3264-38-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/3264-42-0x0000000010000000-0x0000000010128000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dasdshi.exe	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dasdshi.exe	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dasdshi.dll	Dasdshi.exe
File opened for modification	C:\Windows\SysWOW64\Dasdshi.dll	Dasdshi.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\1a9e13bc8c3157e0c1e362ec414e85ee.dat	Dasdshi.exe
File opened for modification	C:\Windows\Fonts\1a9e13bc8c3157e0c1e362ec414e85ee.dat	Dasdshi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dasdshi.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{734A6C6D-586F-11E6-A15C-7E9B73D38187} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	Dasdshi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "176879611"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
3264	Dasdshi.exe
3264	Dasdshi.exe
3264	Dasdshi.exe
3264	Dasdshi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3264	Dasdshi.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2884	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
3264	Dasdshi.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3264	4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe	86
PID 4860 wrote to memory of 3264	4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe	86
PID 4860 wrote to memory of 3264	4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe	86
PID 4860 wrote to memory of 2412	4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe	89
PID 4860 wrote to memory of 2412	4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe	89
PID 4860 wrote to memory of 2412	4860	83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe	89
PID 3264 wrote to memory of 2884	3264	Dasdshi.exe	92
PID 3264 wrote to memory of 2884	3264	Dasdshi.exe	92
PID 2884 wrote to memory of 3472	2884	IEXPLORE.EXE	93
PID 2884 wrote to memory of 3472	2884	IEXPLORE.EXE	93
PID 2884 wrote to memory of 3472	2884	IEXPLORE.EXE	93
PID 3264 wrote to memory of 2884	3264	Dasdshi.exe	92

C:\Users\Admin\AppData\Local\Temp\83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83278099da82d2de669cff6f0a6cd691_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\Dasdshi.exe
  C:\Windows\system32\Dasdshi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\del_file_b.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P28Y2V7F\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
405KB

MD5
be7c7ab5b5cd19ac739e679b8750c3bf

SHA1
f5dd1d0c2a3b46b8c48a82dc98f709c2064e7f58

SHA256
44912d51643c8964fc13118dc678b42e6d85481bb33f154128f209f5c2a1135a

SHA512
cbb7ec7c9e231236e47a1b55c617ea336dedf33b2d1248d53e2bcea81185200b2a45b356b137e8631021aa934934a4b29c9a2e958343468eba7692c5493997b2

Download Submit
C:\Windows\SysWOW64\Dasdshi.exe

Filesize
763KB

MD5
83278099da82d2de669cff6f0a6cd691

SHA1
f7a9b8f3ced2e04301d31e43b2f2a9e9d583bc4a

SHA256
155b302a27a19c27abd6f05d61bfbb10c1f84f6d041a8bcf08ded01c93cd6324

SHA512
4f98f2abcf8744b36fcc1e92c3df049ce8e5ddf5950f907c1917754c1f76511f06ed7c80563f7a9d7cc6cc70c85119b9013fad35655f23244c05a07be5043f3d

Download Submit
\??\c:\del_file_b.bat

Filesize
235B

MD5
cd0df017e096db2cdabb26524afd4d2b

SHA1
2032a0d1ae8234d8e8f8b4f20cad565814abf39a

SHA256
e2ed08b9dfaee6b03e753936bac7675c61176b8946daa7b8971330857444e80d

SHA512
a652dcf3656fe806b8e7239ce5e286000f0accb903a26672fc4a57f644f016dbe0ec1c93f3d1360bddb054944163d9de0cfb992db38bf3267c592ee3e3e74233

Download Submit
memory/3264-31-0x0000000002DA0000-0x0000000002DBE000-memory.dmp

Filesize
120KB

Download
memory/3264-25-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/3264-38-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/3264-42-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/3264-43-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4860-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4860-35-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/4860-36-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4860-11-0x00000000020C0000-0x00000000020DE000-memory.dmp

Filesize
120KB

Download
memory/4860-5-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing