ce85f85209551bc0a7950090c29189a8c00057d028464d1aff7a3abf669c33e0

General

Target

bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe
Size

123KB
MD5

bf879ee4df3d7bee174cd501b7147ebb
SHA1

87cee812d0a78b6eab5b7fe9826c94c40d544ab9
SHA256

ce85f85209551bc0a7950090c29189a8c00057d028464d1aff7a3abf669c33e0
SHA512

87d7966ee8f95281e8d5b31513e93b2e8c0cf49959fcdc0ac19340d11d68c6c63d4fe0bf0de60b50af784ef8c93b39bda80ee71d98dc6705697daa1c12a547a0
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLiDz:OVYrJrOSsRwcp+

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234b5-27.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
868	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
792	regsvr32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3676-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/868-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000900000002344b-3.dat	upx
behavioral2/memory/3676-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-27.dat	upx
behavioral2/memory/792-29-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral2/memory/868-59-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110121210135\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110121210135\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\iaccess32.exe	bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaccess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iaccess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iaccess32.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\IESettingSync	iaccess32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	iaccess32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
2504	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3676	bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe
868	iaccess32.exe
868	iaccess32.exe
868	iaccess32.exe
868	iaccess32.exe
868	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 868	3676	bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe	84
PID 3676 wrote to memory of 868	3676	bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe	84
PID 3676 wrote to memory of 868	3676	bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe	84
PID 868 wrote to memory of 2504	868	iaccess32.exe	87
PID 868 wrote to memory of 2504	868	iaccess32.exe	87
PID 868 wrote to memory of 2504	868	iaccess32.exe	87
PID 868 wrote to memory of 792	868	iaccess32.exe	88
PID 868 wrote to memory of 792	868	iaccess32.exe	88
PID 868 wrote to memory of 792	868	iaccess32.exe	88

C:\Users\Admin\AppData\Local\Temp\bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf879ee4df3d7bee174cd501b7147ebb_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:2504
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20110121210135\dialerexe.ini

Filesize
668B

MD5
1467c6499c1b070d0024c943457edaa0

SHA1
60f46c474f1020eb69773069438fedcf0c01d785

SHA256
4e10821d4827829dc8363f52027ba97e36cc8fffa3cc4fdb4a63ec8a54de38dc

SHA512
08d0de677245f90ad38278779ed610597227e761cdc46cf45a4390287a8d409584848da83fb35029fe0efa97ff9b484e4bae95d2c859897f5aedccdad5f51b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NOCREDITCARD.lnk

Filesize
2KB

MD5
3edeb129a3e3f029e3c62c6f1ad9eb7b

SHA1
94a8cf7314da833a0df50ce3b19c313277ce4915

SHA256
708381e2817a376a7472f09c3725b64cc1897d08df92edb5ae8c61ea88410d67

SHA512
ed6059d45585d5bb32db3c6f74ef3d610c2cf8ebe2cf3bc3b6e1c31c19120d6fc3c09913b5476561914b6adcf72a7fec8295db19eb002f35624227d65944bc77

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
7fd8ef8b935ba91d817fd2fcdb3cf966

SHA1
55daeac7fdc46232377601e9415094a89aa4490e

SHA256
ee4d72b49170307f1373150a984d34b378717644a0e10e1cac6dfe72a7ec7e86

SHA512
3f2714658fadac3ff0d192149b516c92b38dda7ae351e45dcc4a886236c52dfb9dceba0b0dc9c542a7fca4b5878f879f2bf965eda7a5a895542d1e08b0d24061

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
123KB

MD5
4ad8f5dd049a015f1e55921b4e8116b1

SHA1
822b931d90ed3627019a9a7f2c010fb9ac74b9d4

SHA256
1ba8e2b8799e47485d7aa5243d34e3543235ced1f57b054ad9cf43d50c47532e

SHA512
6238f033cc5444e9a03f88919485c10aab7e10b9ddf9436e541163a3620a18264f95df21e11ab47c42552243dfeb57c77523d514b78073cad0a7bc80d1911251

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/792-29-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/868-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/868-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3676-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3676-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing