8417cb8e3ed25daa646d46a1ae96e95dcf8511e1cced13e7430b7bceddf865fc

General

Target

aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe
Size

99KB
MD5

aa99d52f11df406883606b14c707a8d1
SHA1

1718fd42b333ad04aef67913d6d5c7b424ce4f2a
SHA256

8417cb8e3ed25daa646d46a1ae96e95dcf8511e1cced13e7430b7bceddf865fc
SHA512

f7cd3d2ab20e3755f890a2fcd7ffa65559c5027d27f7c3b4f7077e17f60d2a6a8275056c0fc346eeb06a76a60530bea1eae70e71bb5d3d3b5b2679b8d8e7daf9
SSDEEP

1536:6wqdjE6QBj8I/bOgNVrDXABDENesfJj6k2BZKob:wjQjr/bO6dDXABDUesYk2BUob

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4908	TROJAN.EXE
3332	OPTIMIZATOR.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winstart.bat	TROJAN.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROJAN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OPTIMIZATOR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\500 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\505 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\400 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\405 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\408 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\409 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\410 = "4294967295"	OPTIMIZATOR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\403 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\404 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\406 = "4294967295"	OPTIMIZATOR.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\501 = "4294967295"	OPTIMIZATOR.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3332	OPTIMIZATOR.EXE
3332	OPTIMIZATOR.EXE
4908	TROJAN.EXE
4908	TROJAN.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4908	4120	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe	86
PID 4120 wrote to memory of 4908	4120	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe	86
PID 4120 wrote to memory of 4908	4120	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe	86
PID 4120 wrote to memory of 3332	4120	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe	87
PID 4120 wrote to memory of 3332	4120	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe	87
PID 4120 wrote to memory of 3332	4120	aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe	87
PID 3332 wrote to memory of 3488	3332	OPTIMIZATOR.EXE	88
PID 3332 wrote to memory of 3488	3332	OPTIMIZATOR.EXE	88
PID 3332 wrote to memory of 3488	3332	OPTIMIZATOR.EXE	88

C:\Users\Admin\AppData\Local\Temp\aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa99d52f11df406883606b14c707a8d1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\TEMP\TROJAN.EXE
  C:\Windows\TEMP\TROJAN.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4908
- C:\Windows\TEMP\OPTIMIZATOR.EXE
  C:\Windows\TEMP\OPTIMIZATOR.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "move C:\Windows\system32\shdoclc.new C:\Windows\system32\shdoclc.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\OPTIMIZATOR.EXE

Filesize
40KB

MD5
e3b6f9002488a9a9220e29e851e24ff9

SHA1
0192d7e51ec8c1c462a87703c3a9b599efca302b

SHA256
93c570fbf3526a33480338ac7a3ce85d12f7dc59086a36f401afa1489f7ac056

SHA512
3989b07f752f446459ecf5a5a14509c94fdbfacdcb49157866a1b63055b5df5aca604d98d252fcf3c18c6dcc72e85bfc3e06e179661e94e5d49ea937048fe5ae

Download Submit
C:\Windows\Temp\TROJAN.EXE

Filesize
13KB

MD5
687051ed75be81d733e7489d7c7c773f

SHA1
99a7771e8e559830329dabcead04c43874134ff5

SHA256
92d63ee58e835d8cfc6943537d1beb080279bfd1538a010423be42e713390da9

SHA512
b4fe281d3a16939b333cd38dabfceb9b2a42d871f3efc1a967db0e50af52b70cc3922865f65b3ac8df7828a0acbc869b199e4b1e2e4b4e058bc65a91fcef6bd5

Download Submit
memory/4120-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4908-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4908-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4908-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing