1d35b1091605b9d4f16b3c943d07d3e4163461dd4797d9226e234de2ff5c6ea1

General

Target

d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe
Size

82KB
MD5

d3544d0a9c79693b2696b119154de4d2
SHA1

657ed696277dc1d06e4edb0deb206dfa53adec18
SHA256

1d35b1091605b9d4f16b3c943d07d3e4163461dd4797d9226e234de2ff5c6ea1
SHA512

e9403eedbe356e649d63d55d786c9140247026ab97f587dc741cd20e9743b7ce3df1d09b34ceca60cdbdb433acd1a51c87a3f70d279eaad1027e46df10880288
SSDEEP

1536:9RHuVx4vywtB87GVmSDb/jqaRZOGMZarXgU93PVY:9RHuVKqw87GVmW7tjzXgi3PG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1040	rundll32.exe
1040	rundll32.exe
1040	rundll32.exe
1040	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2244-3-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000012118-4.dat	upx
behavioral1/memory/1040-12-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1040-11-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1040-10-0x0000000010000000-0x000000001002E000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1126271C-A8C3-438c-B951-7C94B453B16B}	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.dll	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1126271C-A8C3-438c-B951-7C94B453B16B}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1126271C-A8C3-438c-B951-7C94B453B16B}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1126271C-A8C3-438c-B951-7C94B453B16B}\InprocServer32\ = "C:\\Windows\\SysWow64\\d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1126271C-A8C3-438c-B951-7C94B453B16B}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 1040	2244	d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.dll",inject
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\d3544d0a9c79693b2696b119154de4d2_JaffaCakes118.dll

Filesize
65KB

MD5
b4723d56d02100d7fad4de5b070e2f73

SHA1
723c14f0a3e9567156a1ae2dfa72ea229062a96d

SHA256
97ed6d11e33523328f4a825b2d1e2ed0c86d0d4c71ef679bb5b899f072267ad5

SHA512
418fffb29843c48b6937794a447fa795cc30c2290149d791499b0a5db0e3f7ca9da49088be3a17a26cca3c426802f3181b9cf191ce310679b4433c2b55d47448

Download Submit
memory/1040-12-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1040-11-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1040-10-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1040-9-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2244-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2244-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing