31a1553ca7cb23f86e5e841596311e489c7c5285b4ac49d4fe655a918f2a5723

General

Target

bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Size

1.2MB
MD5

bc0c44357c2dd5683406f6523f65590e
SHA1

29eea060fca71efac3aecb7962c51d66e83b2e93
SHA256

31a1553ca7cb23f86e5e841596311e489c7c5285b4ac49d4fe655a918f2a5723
SHA512

68dad1bfe9260ed7b3d7d3fe4beea1ba766ad944a4a95be24968405b38e970c45c089ca5de9633dd63c9727e2cacfedeeb559bbbf50d8cfb75587b0fd7f3a8a1
SSDEEP

24576:p1hV44mXVPitJFvB8ezCLEvmskrM5GVD/wKRaWdGX4IK9FwnkPr8m2NBMUO:DrFmXV68IkA5GD4Lort8/o

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3256	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
3256	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
3256	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
3256	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
3256	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
3256	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3b4546e-beb3-115e-8779-3f8997b07305}	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3b4546e-beb3-115e-8779-3f8997b07305}\NoExplorer = "0"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\f6b41f6b.dll	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\16b9b0dc.exe	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3b4546e-beb3-115e-8779-3f8997b07305}	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3b4546e-beb3-115e-8779-3f8997b07305}\ = "sleekseek"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3b4546e-beb3-115e-8779-3f8997b07305}\InProcServer32	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3b4546e-beb3-115e-8779-3f8997b07305}\InProcServer32\ = "C:\\Windows\\SysWow64\\f6b41f6b.dll"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3b4546e-beb3-115e-8779-3f8997b07305}\InProcServer32\ThreadingModel = "Apartment"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{a55d6f08-4937-41fb-68b1-64ab01161712}	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a55d6f08-4937-41fb-68b1-64ab01161712}\1080008765 = "Ã“í¥¡»£”¼•\u00a0¼Á”¾\u00a0ö"	bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc0c44357c2dd5683406f6523f65590e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc8C92.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C92.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
C:\Windows\SysWOW64\f6b41f6b.dll

Filesize
1.9MB

MD5
c57bfc1c24b16df571bf0a90124aabf0

SHA1
32ab3c366bc32dc3ddc88c42eea70a4739f2e3c4

SHA256
8a1cc850e65e92b960f33c999fcd2452f08899a8bf94f0f51e6cf03775cb403e

SHA512
93e9918561235b22c5b276ba7454b8e7f3f09f35742d5766d7a81db20ff0f62e562a989eab2e32a517b12b4fb344436bfb97e2d7f6d0d950950bfd2d497edf1b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads