e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60

General

Target

dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Size

293KB
MD5

dbc292a2292c6061700236830d45ca91
SHA1

fcdfba4b95c145a715209d694639de6be0478f6b
SHA256

e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60
SHA512

551e097fb31a5e7a6b6ecf602f7ae8cb63dc620940fe47b003ebcafcedbfdb391731cfce399b48111ee9524f2272f53eb4076c84f65e377336930fd6b3c3e0fe
SSDEEP

6144:6qcbmoTtMUxxzP75a2eoEnnZcYupty6DPlQ82hmbN:6NTTyUX/5a2NGZcTs6DPlahmbN

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe ,C:\\Windows\\system32\\PnkB.exe"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000800000001748f-19.dat	aspack_v212_v242

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PnkB.exe	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pp.exe	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pp.exe	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Version Vector	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.185b.com/"	regedit.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.185B.Com/"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shellex	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ = "Internet Explorer"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\InprocServer32 = "Apartment"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open\command	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)\Command	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder\Attributes = "0"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
2336	regedit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2336	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2336	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2336	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2336	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2716	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2716	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2716	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2716	2572	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2860	2716	cmd.exe	33
PID 2716 wrote to memory of 2860	2716	cmd.exe	33
PID 2716 wrote to memory of 2860	2716	cmd.exe	33
PID 2716 wrote to memory of 2860	2716	cmd.exe	33
PID 2716 wrote to memory of 2896	2716	cmd.exe	34
PID 2716 wrote to memory of 2896	2716	cmd.exe	34
PID 2716 wrote to memory of 2896	2716	cmd.exe	34
PID 2716 wrote to memory of 2896	2716	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\\\35.ini"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs regedit.exe
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun96.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35.ini

Filesize
139B

MD5
bb454b063043f484326575ce60d587c1

SHA1
cac3171df8fc25526a82356ed53f1c45a86167be

SHA256
838a54026108ff550f5d3c425cf7852abea41882590863e423cf9e94573dc11f

SHA512
8c86e46eea787025937204f93738c02f1d5268c19e20126d86df5f1bb3d15367935b3f23e5c6c482b462ac79dbbcc87b38a952a3a8567bf9a3cff2a68ab92099

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun96.bat

Filesize
191B

MD5
5c716e6579353075cbb7d67cf9d8d0de

SHA1
b033eba781a4eaaecd015fd59189b26ea7dacd13

SHA256
b0cc60f962361c2bd560bf09989246ac8f48ecde94d1b3edd99e50aa6322a42f

SHA512
92bb090fe51ba17472cced2921b471666d2739783c1fba6e347479ff084f8583852bc057dd90b6b1fca6acb76a063e034b98f42a0b159b0a22fbf97b3ab8d069

Download Submit
C:\Windows\SysWOW64\PnkB.exe

Filesize
293KB

MD5
d35bae95bae2981ea43f8d07d8a7350b

SHA1
11a9f88b5a706e095f451598cd3452397c467dcf

SHA256
185d5d42dbe1107c58a8e940199d428cfed8ab1420f87c2f970affc273c64a0f

SHA512
054a0cf5f5d18f1f143e88e95a22be4549bbdd29c1407bdb6d20198f3cdf49955c8ebecf8906a7e72e5ede4d74a0608bff574fc48abe88903768446631df0de2

Download Submit
memory/2572-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2572-22-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads