45b50ff43794a672a545244455d2d9af9edb1584b98e3545dd60a6273591eb0e

General

Target

94a5ff705624aff62608105f77126b08_JaffaCakes118.exe
Size

123KB
MD5

94a5ff705624aff62608105f77126b08
SHA1

5d35d8f7fbefa06b4d4cd3481389533c9fbed4bc
SHA256

45b50ff43794a672a545244455d2d9af9edb1584b98e3545dd60a6273591eb0e
SHA512

bdc3a80d87e8f57f903fc33948e402913bc2a72253a14bc2661622302882377e1f3533d34041cb706c0a579838584fe7c5e83a0bd92bdd15ae7ec5dce9d55a07
SSDEEP

3072:ueSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLPUvFjGob:uVYrJrOSsRwcpRSjG2

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group"	iaccess32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016eb4-30.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2536	iaccess32.exe

Loads dropped DLL 3 IoCs

pid	Process
2416	regsvr32.exe
2536	iaccess32.exe
2536	iaccess32.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0008000000012119-8.dat	upx
behavioral1/memory/2040-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0006000000016eb4-30.dat	upx
behavioral1/memory/2536-77-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-78-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-79-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-81-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-82-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-83-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-85-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-86-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-87-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-88-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-89-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-90-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-91-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-92-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-93-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\dialerexe.ini	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\medias\p2e_2_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110120050117\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110120050117\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaccess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
1812	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2040	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe
2536	iaccess32.exe
2536	iaccess32.exe
2536	iaccess32.exe
2536	iaccess32.exe
2536	iaccess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2536	2040	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2536	2040	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2536	2040	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2536	2040	94a5ff705624aff62608105f77126b08_JaffaCakes118.exe	30
PID 2536 wrote to memory of 1812	2536	iaccess32.exe	31
PID 2536 wrote to memory of 1812	2536	iaccess32.exe	31
PID 2536 wrote to memory of 1812	2536	iaccess32.exe	31
PID 2536 wrote to memory of 1812	2536	iaccess32.exe	31
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32
PID 2536 wrote to memory of 2416	2536	iaccess32.exe	32

C:\Users\Admin\AppData\Local\Temp\94a5ff705624aff62608105f77126b08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94a5ff705624aff62608105f77126b08_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:1812
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20110120050117\dialerexe.ini

Filesize
668B

MD5
6f73ca8279d6ee3d38da7982e2109e93

SHA1
3ed8ff3e3918b59f959b0ec1ebb6930d9e3f8fec

SHA256
e1570eb2402f0e05215f24a5af0c9986e593067fcab5ea4c19d08e974548b1ed

SHA512
b5bb8189782542976700222b822b8d8bbd5ee62baddbd0b4bfc2460ca3ab3d477ea8fd38f56a8ab3a1347201f2b53a05c5c0ebb4bc66d12da5d48f2215a10873

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
ef6ed257b86ddb5a211b910ad02e4421

SHA1
5fd2cccfad0e9939d62e10c4d2c351ee759a74c9

SHA256
a3022a2ea72fa52ba1aac45b1b9adb428964a51fb580952210a85ee8b41a7080

SHA512
939a783b6fb61703f91610e818e07de2f4ed2b4d20c56941fd3e2a6e7e519dc9a609dfb83cfdb38edf1724c2608294b46bb21968b1d5c9cd8e165dabe280f3c3

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
5790a83f61f4af9fd375c6edb3e4153a

SHA1
6ec75f191efd5f5a428b8cf084c7bbbd905ff248

SHA256
5d0508ffecf0cb035a7e06d7bb371b457f0643f3484b8e79abf5232fde4349df

SHA512
1efbcd081cd5df9d10ad5f9f6b89ee7e143ffda148e70fdc2616f3019210e3ca47fc5987953f8af15cb37a6956ded7f91e90e3fc1ae5653838f605a8e13b5360

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/2040-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2040-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-83-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-56-0x0000000001E30000-0x0000000001E40000-memory.dmp

Filesize
64KB

Download
memory/2536-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-80-0x0000000001E30000-0x0000000001E40000-memory.dmp

Filesize
64KB

Download
memory/2536-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-44-0x0000000001E30000-0x0000000001E40000-memory.dmp

Filesize
64KB

Download
memory/2536-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-88-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-89-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-90-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-92-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-93-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing