9b71702e10ecfe84b52dc6cc7c5ffc25ab61ddfa3003b4e12035a6578cc4d9e6

General

Target

ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
Size

164KB
MD5

ea805757e253af3dd31df939c195802b
SHA1

65961aa52ac859f11be9955df506b72ffc964d2d
SHA256

9b71702e10ecfe84b52dc6cc7c5ffc25ab61ddfa3003b4e12035a6578cc4d9e6
SHA512

2c2b961932360495ee146ab4218bc53237cd4a0901948c2bfe382b70962bcf68d2c1ab4ab871a93d735af431716fe7e4782e9bc62187c7dd02c72b5d7c602072
SSDEEP

3072:7rBupLDVE6xErnRJrf2f6JeZvjEAvQkwUyD2xfGUXIEk5SPEX7o:RmW6UtYRIAYkNyGfGZLo5

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\nubeydkl.sys	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\hawanpkt.sys	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hawanpkt.sys	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\nubeydkl.sys	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
1732	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-8-0x0000000000280000-0x00000000002B7000-memory.dmp	upx
behavioral1/memory/1732-7-0x0000000000280000-0x00000000002B7000-memory.dmp	upx
behavioral1/memory/1732-12-0x0000000000280000-0x00000000002B7000-memory.dmp	upx
behavioral1/memory/1732-37-0x0000000000280000-0x00000000002B7000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{793943BD-FCC2-41E9-AA62-304882A5DFC1}	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{793943BD-FCC2-41E9-AA62-304882A5DFC1}\InprocServer32	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{793943BD-FCC2-41E9-AA62-304882A5DFC1}	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{793943BD-FCC2-41E9-AA62-304882A5DFC1}\InprocServer32\ = "C:\\Windows\\SysWow64\\acppag.dll"	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{793943BD-FCC2-41E9-AA62-304882A5DFC1}\InprocServer32\ThreadingModel = "apartment"	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1732	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1732	ea805757e253af3dd31df939c195802b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ea805757e253af3dd31df939c195802b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea805757e253af3dd31df939c195802b_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\acppag.dll

Filesize
90KB

MD5
ec027f4e03773ef27ccf79cbacd4fa34

SHA1
eeeb3f8a1dc876f1bb573e5497e1b6719cf661c5

SHA256
c105afe3f91cc5c971ee9a83bbb43cdaba4ced00b1c2c9eecbaf01363e3ca928

SHA512
24a061c86de7b668177e5bcde756d0212bf6bc206debd7d613d37e1f57e2fb3d9c87cb4d469b0907126d03f171e4aac65f988967237f8fb3fc4bdbb6699dd2c4

Download Submit
\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-.dll

Filesize
58KB

MD5
ee5db68a4d6b6a7015ba2714543542eb

SHA1
126590ed7bf005f2390d68eb55d7aa71c54a4b0f

SHA256
5f2863f087cd452b0944c97c91f3cd5817689c7b96fb1b7062b54a85fa6a83cc

SHA512
bc138ecb05cf9f9e992ace9f8cef5f6a1c5f02d09e0b19af444d4b992026ecc0f8c1d69df62416f44ded3973b6d6720062450fc7cb07d4e05bfc8cd3f78e4f53

Download Submit
memory/1732-11-0x0000000000240000-0x000000000027A000-memory.dmp

Filesize
232KB

Download
memory/1732-12-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1732-8-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1732-7-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1732-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1732-10-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/1732-0-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/1732-6-0x0000000000240000-0x000000000027A000-memory.dmp

Filesize
232KB

Download
memory/1732-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1732-27-0x0000000000350000-0x0000000000365000-memory.dmp

Filesize
84KB

Download
memory/1732-28-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/1732-38-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/1732-37-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1732-36-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1732-35-0x0000000000350000-0x0000000000365000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing