82f4d192522e473edfebdac3bbd19e5e23cbaf601741e4cace007dca22537b04

General

Target

8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
Size

703KB
MD5

8b5868de15d35c3c85b57a5ca8ffaf8c
SHA1

79b2e58f9f06a446e3d094c45082cfa98df532c1
SHA256

82f4d192522e473edfebdac3bbd19e5e23cbaf601741e4cace007dca22537b04
SHA512

d3cb42421fdfcff227e47607304b8fa40631f740f5a31d3fa2709ac001e08083998ec128fd488aa35c5a63c0b2567db1d442d6b64a8e0efb22c8dfabaef2bf4e
SSDEEP

12288:nvwshptR+jM8vk7NnQzsQzqRTyVH16NBIDNCMmK3QOzvPK2YpJ1FyWE4G/:nvwsX8M8vAQAQziT01YIDNHzvPKqw+

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000233cc-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4836	hjkhklrScS.exe

Loads dropped DLL 6 IoCs

pid	Process
1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
4836	hjkhklrScS.exe
4836	hjkhklrScS.exe
4836	hjkhklrScS.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000233cc-4.dat	upx
behavioral2/memory/1708-5-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/4836-25-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/1708-37-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/4836-39-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/4836-43-0x0000000010000000-0x0000000010128000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hjkhklrScS.exe	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\hjkhklrScS.exe	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
File created	C:\Program Files (x86)\hjkhklrScS.dll	hjkhklrScS.exe
File opened for modification	C:\Program Files (x86)\hjkhklrScS.dll	hjkhklrScS.exe
File created	C:\Program Files\Internet Explorer\IJL15.DLL	hjkhklrScS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\c97370d9687bc1687c91f5a4f5651624.dat	hjkhklrScS.exe
File opened for modification	C:\Windows\Fonts\c97370d9687bc1687c91f5a4f5651624.dat	hjkhklrScS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjkhklrScS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{360FD5CD-5FEB-11E6-818F-EE255DF7DB21} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "177702424"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	hjkhklrScS.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
4836	hjkhklrScS.exe
4836	hjkhklrScS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4836	hjkhklrScS.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3912	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
4836	hjkhklrScS.exe
3912	IEXPLORE.EXE
3912	IEXPLORE.EXE
4064	IEXPLORE.EXE
4064	IEXPLORE.EXE
4064	IEXPLORE.EXE
4064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4836	1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe	87
PID 1708 wrote to memory of 4836	1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe	87
PID 1708 wrote to memory of 4836	1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe	87
PID 1708 wrote to memory of 312	1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe	91
PID 1708 wrote to memory of 312	1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe	91
PID 1708 wrote to memory of 312	1708	8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe	91
PID 4836 wrote to memory of 3912	4836	hjkhklrScS.exe	99
PID 4836 wrote to memory of 3912	4836	hjkhklrScS.exe	99
PID 3912 wrote to memory of 4064	3912	IEXPLORE.EXE	100
PID 3912 wrote to memory of 4064	3912	IEXPLORE.EXE	100
PID 3912 wrote to memory of 4064	3912	IEXPLORE.EXE	100
PID 4836 wrote to memory of 3912	4836	hjkhklrScS.exe	99

C:\Users\Admin\AppData\Local\Temp\8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b5868de15d35c3c85b57a5ca8ffaf8c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files (x86)\hjkhklrScS.exe
  "C:\Program Files (x86)\hjkhklrScS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\del_dtf_1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hjkhklrScS.exe

Filesize
703KB

MD5
8b5868de15d35c3c85b57a5ca8ffaf8c

SHA1
79b2e58f9f06a446e3d094c45082cfa98df532c1

SHA256
82f4d192522e473edfebdac3bbd19e5e23cbaf601741e4cace007dca22537b04

SHA512
d3cb42421fdfcff227e47607304b8fa40631f740f5a31d3fa2709ac001e08083998ec128fd488aa35c5a63c0b2567db1d442d6b64a8e0efb22c8dfabaef2bf4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
405KB

MD5
be7c7ab5b5cd19ac739e679b8750c3bf

SHA1
f5dd1d0c2a3b46b8c48a82dc98f709c2064e7f58

SHA256
44912d51643c8964fc13118dc678b42e6d85481bb33f154128f209f5c2a1135a

SHA512
cbb7ec7c9e231236e47a1b55c617ea336dedf33b2d1248d53e2bcea81185200b2a45b356b137e8631021aa934934a4b29c9a2e958343468eba7692c5493997b2

Download Submit
\??\c:\del_dtf_1.bat

Filesize
234B

MD5
92240da91d7ecd09859d0c0a9f0eff2c

SHA1
94aab1d0db2ff500c911e9ac88dbe6d177340a02

SHA256
92e9da9ba005c33a6b65800f5381aef29160b532726bbaa3e048d6bee85b6346

SHA512
874c2d9492ebea192c5c307d1aec23fa6cf28bb7f5cd6157006b757a85091bc495eef74a43a89eb83efd07a3db1510d29d4956afed4f9b897ae31907edd5ca27

Download Submit
memory/1708-5-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1708-11-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/1708-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-37-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/4836-31-0x00000000024D0000-0x00000000024EE000-memory.dmp

Filesize
120KB

Download
memory/4836-39-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/4836-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-43-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/4836-25-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads