a230d2293b222ee16f4c91537b3fd2e08188ade24b249b824dcc120fd3997133

General

Target

bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
Size

1.1MB
MD5

bfd29f6f484a0a72129557ee7a4dc943
SHA1

8b87c75b9b1c9187c4de50b562a09d55087b3797
SHA256

a230d2293b222ee16f4c91537b3fd2e08188ade24b249b824dcc120fd3997133
SHA512

c599f5ae434f033050d4db38a75aad149bb59b6b980f3adfff61418bebba1767c50a87d353173d3852494639f8b64f5b0735459658a8732f1f2cdf6af278795d
SSDEEP

12288:N8kOUf9ZrYkh3VnaxItFfe1MYUj+zUmRhPms52i9yINBm8Wg5vVL6GVbqqxxQUhb:PB7rRMkRI1IWhvl9yINhWM1b57G+Zr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2184	isass.exe
2188	starkoxp_flooder_1839.exe

Loads dropped DLL 6 IoCs

pid	Process
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
2184	isass.exe
2188	starkoxp_flooder_1839.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	starkoxp_flooder_1839.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	starkoxp_flooder_1839.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2900	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2188	starkoxp_flooder_1839.exe
2184	isass.exe
2188	starkoxp_flooder_1839.exe
2188	starkoxp_flooder_1839.exe
2188	starkoxp_flooder_1839.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2184	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2184	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2184	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2184	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2188	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2188	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2188	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2188	1948	bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2184 wrote to memory of 2712	2184	isass.exe	32
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2856 wrote to memory of 2900	2856	cmd.exe	35
PID 2856 wrote to memory of 2900	2856	cmd.exe	35
PID 2856 wrote to memory of 2900	2856	cmd.exe	35
PID 2856 wrote to memory of 2900	2856	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfd29f6f484a0a72129557ee7a4dc943_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\isass.exe
  "C:\Users\Admin\AppData\Local\isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2900
- C:\Users\Admin\AppData\Local\starkoxp_flooder_1839.exe
  "C:\Users\Admin\AppData\Local\starkoxp_flooder_1839.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\dnserrordiagoff[2]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
540KB

MD5
5fb333fe2010f99ca6e026d4793aff67

SHA1
9dfcd7ec1bf41d6b72f7f06ca305a802211bb22b

SHA256
8f6e95472407c9941c3ce45085c2bf752ff85a62bc201d77da39f03fa84c3b67

SHA512
a9ebf799cb56270f05a3e73ba62403562a6a14e38bad452bad3765fffcd559d56c00df84aea09f9edb2de1a9aa533c614662c25f081b6d3c6223889318832184

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
113KB

MD5
aaca82094ba924888a9a4b372d615213

SHA1
67a2efd4a6a8574b685a755d27a3a370959b9fa6

SHA256
40988216e1fd77c8cf58394ade55cfbf6312343d200cf65b25d350c571aa7949

SHA512
443ce4a07b6e9db94affbd26ab5355a7edbd578adffcf42ee901bef8357bb42b7887d6f1dccc50068e58b15dca520d46a594734a61d76ea28ca9cb54b9582662

Download Submit
\Users\Admin\AppData\Local\starkoxp_flooder_1839.exe

Filesize
124KB

MD5
7180a63cecf68604fe84b244fc65d0d4

SHA1
0712a3f5b6025f1cfecc6401263d7600183935f1

SHA256
cc6f601ef0bf98e97e73111662c114d25fd1576358dfaf8acb4ada0279c2036e

SHA512
87c3168a3ec959704bd4e4b31831583e14dbd42f4ca53efa86c55275682cbbeaa24bfa3d6f1ea3a16a806d63c8abeec9850920b23b2b4a4e40a3ea1beabea197

Download Submit
memory/1948-20-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1948-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2184-52-0x00000000002D0000-0x00000000002F1000-memory.dmp

Filesize
132KB

Download
memory/2184-51-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-25-0x00000000002D0000-0x00000000002F1000-memory.dmp

Filesize
132KB

Download
memory/2184-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2188-36-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/2188-53-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/2188-38-0x0000000004750000-0x00000000057B2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads