af1bc6af103e9ea3bd96946812717234b4642a8a1c7e1986bdf1b9cdc3d994f9

General

Target

d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Size

40KB
MD5

d06350562ec98acb89c7a9ef020288ee
SHA1

5a49da1cce08f169542b9bdccb91e35149b32c17
SHA256

af1bc6af103e9ea3bd96946812717234b4642a8a1c7e1986bdf1b9cdc3d994f9
SHA512

4d8eaa98b3e9248b89367295eb09357c584a3a68daada747c0099f57247cb7dd55729d896236f8412843a53715a76ea490f025d10aee09f5405e66541434a5dc
SSDEEP

192:sT3PnEUwdhRFAH0EuFjgWgK0F7MrwhPUISj5yevcoQa9o35L02K45sV4:sT/BwdJAHzWgKiMsuhKoRu35+45s

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winupd = "C:\\Windows\\system32\\winupd.exe"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupd.exe	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winupd.exe	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Bar = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Search = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Search	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchURL = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchURL = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://69.31.79.100/search.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://69.31.79.100/index.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://69.31.79.100/index.php"	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2084	1576	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe	83
PID 1576 wrote to memory of 2084	1576	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe	83
PID 1576 wrote to memory of 2084	1576	d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d06350562ec98acb89c7a9ef020288ee_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\n.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\n.bat

Filesize
215B

MD5
4cb0929b5c1de247e741b096ed26fed1

SHA1
1cdcbb5f83d8e46439223f68071692db197b803c

SHA256
8d59587948340c9c9885c5f07375e606a12cac4153b2702b4ceb7c917ad2bcdd

SHA512
4a008b08ca77e572a39053adc916c0a6353d21aded48fd93c27e9cdbe42e3b89187bb72fbad9395529a14f6720373eb1f523b94b08e2df19173918b9a556ce5e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads