45888b41214b7a9da67bb94bea38eb47cc0c73778a2e08a7ce8d835797e13aed

General

Target

889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe
Size

61KB
MD5

889f02d585e62fa6e1a6d1cb80d952be
SHA1

3980a32e09823cb144237e368a00b266c94d9974
SHA256

45888b41214b7a9da67bb94bea38eb47cc0c73778a2e08a7ce8d835797e13aed
SHA512

adfd2044fa9a47b13e9d2759e628c9ed99dc5b1b2b58de8021d3b2c3854ba1b7bc59cf1380b9e4f2f4f61971e35a960b4768ef79e61cab3c21a70a47f0aee290
SSDEEP

1536:BX1hFxqX+F3isOhMqEgpjwdUFMOUgHluFRR2t/0S6:Z1hqo3HqEg6BOUU8FqH

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1312	kept.exe
2888	load.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023457-8.dat	upx
behavioral2/memory/1312-24-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1312-39-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	kept.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	kept.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmmsnfsn.dll	kept.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4924	2036	WerFault.exe	83
2740	2888	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kept.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	load.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	kept.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1312	2036	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe	90
PID 2036 wrote to memory of 1312	2036	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe	90
PID 2036 wrote to memory of 1312	2036	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe	90
PID 2036 wrote to memory of 2888	2036	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe	91
PID 2036 wrote to memory of 2888	2036	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe	91
PID 2036 wrote to memory of 2888	2036	889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe	91
PID 1312 wrote to memory of 3276	1312	kept.exe	94
PID 1312 wrote to memory of 3276	1312	kept.exe	94
PID 1312 wrote to memory of 3276	1312	kept.exe	94

C:\Users\Admin\AppData\Local\Temp\889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\889f02d585e62fa6e1a6d1cb80d952be_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 424
  2⤵
  - Program crash
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\kept.exe
  "C:\Users\Admin\AppData\Local\Temp\kept.exe"
  2⤵
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c preved.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3276
- C:\Users\Admin\AppData\Local\Temp\load.exe
  "C:\Users\Admin\AppData\Local\Temp\load.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 228
    3⤵
    - Program crash
    PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2888 -ip 2888
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\load.exe

Filesize
9KB

MD5
6add75b8235ccf12661903f202981c93

SHA1
0361d44e4a6b6cc9541622436acd1e7104108256

SHA256
4036d04060beae76cda99ec7d68ec488a36340addbc1575559ac8748b311b17b

SHA512
06860c87d604dc91ed415cf7634a721a6c2ba822c01d5569b6aa54d167bd6de99cd2c49cad705b93644953b9f4cc721464400e148b3ab9ef42646104e11dbed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\preved.bat

Filesize
159B

MD5
01d030a96ea759f7a77de4418b589d26

SHA1
c477d4510a484ac15a07d0b09ecdec0a5e227028

SHA256
8920328983362064eac8d911aeea19de37727bd4bc57684782c39b25f13b0050

SHA512
984d2475f9dcbba22ac962f5750c96b15af7a9594caef73bf00ec077276f935af43e044bd74f6f122c799b88a22a1dbb60c75f434511b61a47944a766fb9e7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxVoxeNkiW

Filesize
32KB

MD5
0482b3f2a4ba95ccb7c88381d1fc9719

SHA1
85cf3021ca5877e58632205c191ee96616f31dc2

SHA256
c59e23c9b34ea3050b97f0e4e9eb1e1b197e7a460cc17bc04c4495d74ebe1dd9

SHA512
8653a27b27f9caa1c0d2474210c2200e95438a891f5a56647b80d0f5746ba2469c9c34b99556002b69e61a3148e3e78329619e92281205b0c86d122de1b925db

Download Submit
memory/1312-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1312-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2036-0-0x0000000000400000-0x0000000000417200-memory.dmp

Filesize
92KB

Download
memory/2036-32-0x0000000000400000-0x0000000000417200-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads