19d3f5d851b294f4c46d19efbcdb871ad018c1fd9c02a3e42d1dbd324b86a2fc

General

Target

8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
Size

718KB
MD5

8be756adb43dcd218b26bc9b1b284d18
SHA1

8d151096a61c4a78e7740edf8ffc729e8efa94d8
SHA256

19d3f5d851b294f4c46d19efbcdb871ad018c1fd9c02a3e42d1dbd324b86a2fc
SHA512

01dd2a432f8504c83565e0cc1374c5f36aa40000c6e7d7e7bdb1d8f359048f21c82bbab32b7c341515a907024f79c0976870c700d793c74612efba40d555f338
SSDEEP

6144:VM/in98C/WvBJIzvGO8QC2VV8nVG2CPRgLXM+1mq7kycl8dk3LNr6XoRDae8N5Yy:cC98CQnmGl2g+gL8+13gyc6EZou+A2n

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1808	ShopAtHome_Toolbar_Installer.exe
2508	SelectRebatesDownload.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe	ShopAtHome_Toolbar_Installer.exe
File opened for modification	C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe	ShopAtHome_Toolbar_Installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	ShopAtHome_Toolbar_Installer.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShopAtHome_Toolbar_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SelectRebatesDownload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2508	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2508	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2508	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2508	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2420	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	37
PID 2680 wrote to memory of 2420	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	37
PID 2680 wrote to memory of 2420	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	37
PID 2680 wrote to memory of 2420	2680	8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe	37
PID 2420 wrote to memory of 1736	2420	iexplore.exe	38
PID 2420 wrote to memory of 1736	2420	iexplore.exe	38
PID 2420 wrote to memory of 1736	2420	iexplore.exe	38
PID 2420 wrote to memory of 1736	2420	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8be756adb43dcd218b26bc9b1b284d18_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\ShopAtHome_Toolbar_Installer.exe
  C:\Users\Admin\AppData\Local\Temp\ShopAtHome_Toolbar_Installer.exe -t:"C:\Users\Admin\AppData\Local\Temp\Low\SK31NGAU.exe" -d:"C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe" -i:"C:\Users\Admin\AppData\Local\Temp\Low\HEB4UIV9.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe
  "C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Program Files (x86)\internet explorer\iexplore.exe
  "C:\Program Files (x86)\internet explorer\iexplore.exe" "199.221.131.86/RequestHandler.ashx?MfcISAPICommand=installstatus&param=%00%01%01%00cIh8TWZadr7iiDTOi6Utcg07tcavA3WcY3TV323eREHrpox731DkC9gezY0Fi4VejMeI2EH3dRzbhUpYtp5_c-Shdel3wFhsNE87Vs0Umq4OBu8oZwQeYWyv1eR7NHAI88nQT9ABo3ecRsEO-NMhDV4tavel7WlxcO4eTJNGbIOJsoosBA7FSbNqN08_iJWcW4e8NDz0VBnImqYeUmbdLS7_u4RSgVr3YlqPD9TgJwlrX1DZZty0TOiLGJMA9C6tjuYgC2XK8YEjV9VztsUPKIoLwlSQH587lLQiNd9Zk_35KJOhYrsbxW1sw0sxz9iL54cfSU5VxlV--cMJTxeyz0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "199.221.131.86/RequestHandler.ashx?MfcISAPICommand=installstatus&param=%00%01%01%00cIh8TWZadr7iiDTOi6Utcg07tcavA3WcY3TV323eREHrpox731DkC9gezY0Fi4VejMeI2EH3dRzbhUpYtp5_c-Shdel3wFhsNE87Vs0Umq4OBu8oZwQeYWyv1eR7NHAI88nQT9ABo3ecRsEO-NMhDV4tavel7WlxcO4eTJNGbIOJsoosBA7FSbNqN08_iJWcW4e8NDz0VBnImqYeUmbdLS7_u4RSgVr3YlqPD9TgJwlrX1DZZty0TOiLGJMA9C6tjuYgC2XK8YEjV9VztsUPKIoLwlSQH587lLQiNd9Zk_35KJOhYrsbxW1sw0sxz9iL54cfSU5VxlV--cMJTxeyz0"
    3⤵
    PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\HEB4UIV9.tmp

Filesize
56B

MD5
d32cede39e8b41ffb8f4a30b6006f5f0

SHA1
e4ce679afab2abf9e586f5fc938685354b592eb1

SHA256
eb8e6cab79e6781b58f83a3fff33b520195eab2b2eeb748eec69e14e5a83c64b

SHA512
e2d1c360e077d2b1dbe100869b347967c132036210994ebfcccc7cfda6b894344df89622dbd8ea6e6fab7746f836817425c3920dffe67dabcd70ca05ff50ccd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\HEB4UIV9.tmp

Filesize
73B

MD5
1c1c50eb4f1f6b881054f3fadcebefdb

SHA1
19dfa7ddd3ba46f7ff55e08ee76e3b49030ac5eb

SHA256
020eb4c5f6b8d78b3739b7c3265d5d437e9353f19d0e727f31aa3edf88674c54

SHA512
87bb21b9cef8acd34cacef64931af222cc6afa3d2eeeef29628d131c90556d9a06df6c5b524a1a4c8d106c9004b5c553d8007578888b24e82097ab22b4297920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\SK31NGAU.exe

Filesize
169KB

MD5
589c85ad4b3fd73456f32eb9d58e2f9c

SHA1
95ce6284d38c8948ce30c4abf9b4b6ff60c9efe6

SHA256
dfe385206e3ba737636463b22501b801b88169af789424e8a33c3cf07a8b2235

SHA512
eefa14b37c7ecdfe95f9951a09d0c876a2c1bfd8b029869f8928bae2266ebb0a90e64e10e0781ec71638042eb5e88806a252e55176578e96de44ab5c17f25782

Download Submit
\Users\Admin\AppData\Local\Temp\ShopAtHome_Toolbar_Installer.exe

Filesize
185KB

MD5
6f859cb344a13169bfa611274ca70bd7

SHA1
f9109b10ceb1f248b59828a465098f96897bfe4b

SHA256
ac4f3c6d4484706c3a9f30739c4ad0165ee5ac17ea2ec5fbd59690ce758d60da

SHA512
3a8b0e62bf4c2ff15137119416ca90b4ffd0487991c88ee343fd9c5040b685ec6000b4c8c5a940c790a1a3927cfb3d4635876775b2086faadfb416dfa89ca5e7

Download Submit

Analysis

Sharing