bddde7b79f8ed911f4ab3b108ca4003c889e8e6f3b9cd2c55eb9406e729458a0

General

Target

d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe
Size

183KB
MD5

d2fc07fe7958cb6e89deeac88de2d3a9
SHA1

5655c08131da8a93e49fe3856329c3d0dd576fff
SHA256

bddde7b79f8ed911f4ab3b108ca4003c889e8e6f3b9cd2c55eb9406e729458a0
SHA512

3ce9fcadbfb915babddf73e86b7da1d3f09f6403e75ff5bd9bc739890e67ce97deb7b8436849254a7b4400a1537d95565c489aace6769804998fbde9f0a94fe8
SSDEEP

3072:EamFnQYUM6m3SP2sVSdEnfWZN3cbgonk9sX1qalYuhLJNdjQVVTuP5J85Vi9iqVC:Eazq3aipalYuhoao5sQkzcKrpe

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group"	iaccess32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a07e-29.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2680	iaccess32.exe

Loads dropped DLL 3 IoCs

pid	Process
1720	regsvr32.exe
2680	iaccess32.exe
2680	iaccess32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1884-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1884-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2680-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000b0000000122cf-7.dat	upx
behavioral1/files/0x000500000001a07e-29.dat	upx
behavioral1/memory/1720-31-0x0000000010000000-0x0000000010047000-memory.dmp	upx
behavioral1/memory/2680-72-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\medias\p2e_go_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\dialerexe.ini	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20110128160128\dialerexe.ini	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20110128160128\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaccess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
2744	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1884	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe
2680	iaccess32.exe
2680	iaccess32.exe
2680	iaccess32.exe
2680	iaccess32.exe
2680	iaccess32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2680	1884	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe	30
PID 1884 wrote to memory of 2680	1884	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe	30
PID 1884 wrote to memory of 2680	1884	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe	30
PID 1884 wrote to memory of 2680	1884	d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2744	2680	iaccess32.exe	31
PID 2680 wrote to memory of 2744	2680	iaccess32.exe	31
PID 2680 wrote to memory of 2744	2680	iaccess32.exe	31
PID 2680 wrote to memory of 2744	2680	iaccess32.exe	31
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32
PID 2680 wrote to memory of 1720	2680	iaccess32.exe	32

C:\Users\Admin\AppData\Local\Temp\d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2fc07fe7958cb6e89deeac88de2d3a9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:2744
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20110128160128\dialerexe.ini

Filesize
670B

MD5
e92f4fa1f5b49c9c2f826a6d18e2e5f1

SHA1
7adfd44d813f22cbb72246dcc0af9707a2bf1d68

SHA256
fbf380e713f0f75bd60d9cc5beff283d3fe4d4373f11c6b0228ce1dbe003d2e1

SHA512
c9c9996b06dd2de0ac3c7cfda597fb15fe7e1f8774b424bf7ad8b94c19dd4567dd5cad98fe3e876bb1ff0720a50330e547a2c146d6d9f259fa2383a3681fe9a3

Download Submit
C:\Users\Public\Desktop\NOCREDITCARD.lnk

Filesize
2KB

MD5
19a42dba5275a012836a3c8879a4b0b3

SHA1
f6c391e9618422d2886585c0d72678e06c48d8a2

SHA256
07998a3e504b61dcb01b05fa0b67acdcb61ef243cbaf9e0474fbc6aaaae6257a

SHA512
93a50932de1e86c29683b6b3d5816c7655c6e6014f826a9226255dee218812c617551d74eeb386ea32b1dde61670e60ec0ecf411ca69771bf17c8688f4ba9d85

Download Submit
C:\Windows\SysWOW64\egaccess4_1071.dll

Filesize
76KB

MD5
b83f652ffa76451ae438954f89c02f62

SHA1
b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd

SHA256
f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f

SHA512
965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

Download Submit
C:\Windows\iaccess32.exe

Filesize
183KB

MD5
6c71e8313134706173d7fead9e692849

SHA1
e9d3bb8a2a59114adbacc5779b6559d4554bc8e3

SHA256
9e57de40dec38552533f2f8c9408780dc74e20ef2479afd429410c1fc90b9684

SHA512
d7f6ed2057359a0e73eee93c661fe4d8629b92badd801874f95362879a087a75630b3ad0036502b06849594db52c8cbcb2eea3df803c88b6ed0c3f331ce9d914

Download Submit
C:\Windows\tmlpcert2007

Filesize
6KB

MD5
b103757bc3c714123b5efa26ff96a915

SHA1
991d6694c71736b59b9486339be44ae5e2b66fef

SHA256
eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48

SHA512
d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

Download Submit
memory/1720-31-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/1884-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1884-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2680-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2680-44-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/2680-56-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/2680-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2680-73-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing