5be1e6f7f4c472cf0566382ae2f2ec86b0f6d7e8fb961a23413937facc741d40

General

Target

b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
Size

299KB
MD5

b94266574db43e28f39fb657890321f9
SHA1

717aa98fc89805fe3905d5acf06d83aa8bd5f036
SHA256

5be1e6f7f4c472cf0566382ae2f2ec86b0f6d7e8fb961a23413937facc741d40
SHA512

abb0e3ec017c6d442ad5c80b19160a9e5faee6e37019d3689d37d11d49677c6ee4b49fd917d3a23b73c0d80f7e9ca66d32b39bff77831e58111e6511c478772f
SSDEEP

6144:VNunPuVXLjkHGR4febZrnGQZ9iip1hl1uBhol/0Iio0CH8Z0jF:VknoXLjkzfebxGQrXuslMx50jF

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	skype.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\	Regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\resiifers.ini	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inpgsrizko.dll	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\skype.exe	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skype.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inpgsrizko.TIEBHOCom\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\InprocServer32\ = "C:\\Windows\\SysWow64\\inpgsrizko.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inpgsrizko.TIEBHOCom	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inpgsrizko.TIEBHOCom\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inpgsrizko.TIEBHOCom\Clsid\ = "{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D2EAF15-81D0-42DA-8C39-19EDD39E0FB3}\ProgID\ = "inpgsrizko.TIEBHOCom"	Regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	skype.exe
2812	skype.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2908	4720	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	85
PID 4720 wrote to memory of 2908	4720	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	85
PID 4720 wrote to memory of 2908	4720	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	85
PID 4720 wrote to memory of 2812	4720	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	86
PID 4720 wrote to memory of 2812	4720	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	86
PID 4720 wrote to memory of 2812	4720	b94266574db43e28f39fb657890321f9_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\b94266574db43e28f39fb657890321f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b94266574db43e28f39fb657890321f9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\Windows\system32\inpgsrizko.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2908
- C:\Windows\SysWOW64\skype.exe
  "C:\Windows\system32\skype.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inpgsrizko.dll

Filesize
218KB

MD5
d4e7740d937f9c74597eca18a9188155

SHA1
d363f2d3c5a2ccbb152ca780e32411522459f0cd

SHA256
6cad972d2bcb94a538c172aa90122739fa725ff60c0edc71edcd4bdb6f42b702

SHA512
dfc44473d76af4437678a626f3c3cf322cfa287734bbc898a43bad99dcccb03896b105fff955b2a6b2e6d18fc248bc98b360f836586a45fe608e7bf16689d562

Download Submit
C:\Windows\SysWOW64\resiifers.ini

Filesize
83B

MD5
29fca6fd3ca8332ee292f1d4502f187a

SHA1
0a33bb336efedc6317af0c74f6614fb80448df0e

SHA256
a07c30085d222335454ff4d0e770f4ac078e531079ab7c3fbb16f1beb9014fab

SHA512
5ec1cfc1b84ddd5476b69bac5c7ee17a09c429a54dac46db0fd2c76c7d78f706cafed85c652d05c14017c098c6600a08d8583dab3000e5a0a6655f1c2029eb7c

Download Submit
C:\Windows\SysWOW64\skype.exe

Filesize
57KB

MD5
4c7be026c2d95f893ca401abb62b614e

SHA1
0848587f9a58dffc761bdf53af3dd8ae7dd4a494

SHA256
4a5ef08d3e0896a6f2611385565f5e082b8a401596f5e6ce57b7a8c26a319116

SHA512
2101ebb8d315daf0bde78e766c50c1a04ed6001028001a82303d8985594a670e11867dbbf7ffb8bcb9a84689af07feba96259c672cb823cd930833fbb26d340a

Download Submit
memory/2908-10-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2908-11-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/4720-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4720-1-0x0000000000650000-0x0000000000652000-memory.dmp

Filesize
8KB

Download
memory/4720-23-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing