5be1e6f7f4c472cf0566382ae2f2ec86b0f6d7e8fb961a23413937facc741d40

General

Target

b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
Size

299KB
MD5

b94266574db43e28f39fb657890321f9
SHA1

717aa98fc89805fe3905d5acf06d83aa8bd5f036
SHA256

5be1e6f7f4c472cf0566382ae2f2ec86b0f6d7e8fb961a23413937facc741d40
SHA512

abb0e3ec017c6d442ad5c80b19160a9e5faee6e37019d3689d37d11d49677c6ee4b49fd917d3a23b73c0d80f7e9ca66d32b39bff77831e58111e6511c478772f
SSDEEP

6144:VNunPuVXLjkHGR4febZrnGQZ9iip1hl1uBhol/0Iio0CH8Z0jF:VknoXLjkzfebxGQrXuslMx50jF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	skype.exe

Loads dropped DLL 10 IoCs

pid	Process
2220	Regsvr32.exe
1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\	Regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\resiifers.ini	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\llakuqyrod.dll	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\skype.exe	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2792	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skype.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\llakuqyrod.TIEBHOCom	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\ProgID\ = "llakuqyrod.TIEBHOCom"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\InprocServer32\ = "C:\\Windows\\SysWow64\\llakuqyrod.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\llakuqyrod.TIEBHOCom\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\llakuqyrod.TIEBHOCom\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\llakuqyrod.TIEBHOCom\Clsid\ = "{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\ProgID	Regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2220	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2792	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2792	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2792	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	31
PID 1940 wrote to memory of 2792	1940	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2708	2792	skype.exe	32
PID 2792 wrote to memory of 2708	2792	skype.exe	32
PID 2792 wrote to memory of 2708	2792	skype.exe	32
PID 2792 wrote to memory of 2708	2792	skype.exe	32

C:\Users\Admin\AppData\Local\Temp\b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b94266574db43e28f39fb657890321f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\Windows\system32\llakuqyrod.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2220
- C:\Windows\SysWOW64\skype.exe
  "C:\Windows\system32\skype.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\llakuqyrod.dll

Filesize
218KB

MD5
d4e7740d937f9c74597eca18a9188155

SHA1
d363f2d3c5a2ccbb152ca780e32411522459f0cd

SHA256
6cad972d2bcb94a538c172aa90122739fa725ff60c0edc71edcd4bdb6f42b702

SHA512
dfc44473d76af4437678a626f3c3cf322cfa287734bbc898a43bad99dcccb03896b105fff955b2a6b2e6d18fc248bc98b360f836586a45fe608e7bf16689d562

Download Submit
C:\Windows\SysWOW64\resiifers.ini

Filesize
83B

MD5
fb040e7a3aac21042a53df355dc07074

SHA1
62c3efc6cafc11e47654e7ee7ddce9284a7efced

SHA256
7bcd9c0c85398cb0cb41c732791b889003d867d475cfea9633d21ca8928f4e45

SHA512
1f97f84e1b7bedd93a27be54267718fd3882b22c8080abbe01f9cafa0da32428fdcbaa22e774f53fff619a8d6d4c7dc5c30b9be2cd26f8a3c88a2150e6b88747

Download Submit
\Windows\SysWOW64\skype.exe

Filesize
57KB

MD5
fc5ac29e159b8442352a75d1a418deaf

SHA1
ec570ad6723961107a1afcb940b446de9cf4ea02

SHA256
e40c5a5f31db82210bea6dcb779c74ed37ab84169fb0f522916096dedb1794d3

SHA512
e215b28f47c653cf4aa06cdc6ac63b0a9e8c1eddaa45e36f90b95f0bf1fd749994233a847a1b73ed6a554c348f30c8c786bfb1b44d6b2b419a08db8525c73c51

Download Submit
memory/1940-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1940-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1940-24-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2220-11-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2220-10-0x0000000000A00000-0x0000000000A9D000-memory.dmp

Filesize
628KB

Download
memory/2792-23-0x0000000000407000-0x000000000040F000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing