e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60

General

Target

dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Size

293KB
MD5

dbc292a2292c6061700236830d45ca91
SHA1

fcdfba4b95c145a715209d694639de6be0478f6b
SHA256

e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60
SHA512

551e097fb31a5e7a6b6ecf602f7ae8cb63dc620940fe47b003ebcafcedbfdb391731cfce399b48111ee9524f2272f53eb4076c84f65e377336930fd6b3c3e0fe
SSDEEP

6144:6qcbmoTtMUxxzP75a2eoEnnZcYupty6DPlQ82hmbN:6NTTyUX/5a2NGZcTs6DPlahmbN

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe ,C:\\Windows\\system32\\PnkB.exe"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000b000000023372-14.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pp.exe	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PnkB.exe	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pp.exe	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Version Vector	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.185b.com/"	regedit.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\InprocServer32 = "Apartment"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder\Attributes = "0"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ = "Internet Explorer"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)\Command	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open\command	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.185B.Com/"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shellex	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
4388	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4388	1856	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	86
PID 1856 wrote to memory of 4388	1856	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	86
PID 1856 wrote to memory of 4388	1856	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	86
PID 1856 wrote to memory of 4120	1856	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	88
PID 1856 wrote to memory of 4120	1856	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	88
PID 1856 wrote to memory of 4120	1856	dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe	88
PID 4120 wrote to memory of 3516	4120	cmd.exe	90
PID 4120 wrote to memory of 3516	4120	cmd.exe	90
PID 4120 wrote to memory of 3516	4120	cmd.exe	90
PID 4120 wrote to memory of 4056	4120	cmd.exe	91
PID 4120 wrote to memory of 4056	4120	cmd.exe	91
PID 4120 wrote to memory of 4056	4120	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbc292a2292c6061700236830d45ca91_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\\\36.ini"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs regedit.exe
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun22.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36.ini

Filesize
139B

MD5
bb454b063043f484326575ce60d587c1

SHA1
cac3171df8fc25526a82356ed53f1c45a86167be

SHA256
838a54026108ff550f5d3c425cf7852abea41882590863e423cf9e94573dc11f

SHA512
8c86e46eea787025937204f93738c02f1d5268c19e20126d86df5f1bb3d15367935b3f23e5c6c482b462ac79dbbcc87b38a952a3a8567bf9a3cff2a68ab92099

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun22.bat

Filesize
191B

MD5
ea4a53c540281f0999211d094132d387

SHA1
c66efbe3dcad0e6b54dc7e4916dffb2f482b4552

SHA256
bd5b15a14844a404d657174b70a106f4d1d5b651be94ed2ff5707cecb340fcdd

SHA512
97a0de90788f267a9b0c6c63c84edf0f714d4519a1d308a54f76403e7590b53c829fbb1b4a873c8ad3683cecc58f13e69d7dcd462f3d10001808ef60c886c2fe

Download Submit
C:\Windows\SysWOW64\PnkB.exe

Filesize
293KB

MD5
4fabbf59a743e4f14d790757aaefdc46

SHA1
93d3ca31986430c1bad8e7a9cf1c47594afbfb20

SHA256
9e3765d54dddaa165aba77839b3a45ab8010b98581dc5f75d684bea1550292c6

SHA512
5869837d7f9e96f3cdd9b8453a76f4b933e0b3dcb29dad4e4ed48e6ba85fd6ce9a4edbd2929dc7c39a567bf1e0fe43e36a02ff597f3c23d184ff84f8ff16a3c2

Download Submit
memory/1856-0-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1856-16-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads