7abf8d047720f1a3b523a158aa490d7119c1d21e6ea268050afb4bc4844f161a

General

Target

f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe
Size

54KB
MD5

f0a56c655659240cc96f7d4f80c76e21
SHA1

6fe9160e4d4149f2015dff35565204a01d6fa67a
SHA256

7abf8d047720f1a3b523a158aa490d7119c1d21e6ea268050afb4bc4844f161a
SHA512

5cf4291d4c3787b478e9c5bd2a8c0ef7102a5753e4f588bda51bb2eb41c935fac3e19cb8b08c5b5b7a69353ae074043d1728fd2a051cd1cf99bfc8a221e1b744
SSDEEP

768:95ICSnbvbjDYZPEf/60sclO0s1DoKjSPLsOOLidEMn0OlYIPMMM5muSl:/IzbvLmMX6AlOH1UKjSjSM00P6MuSl

Score

8^/10

defense_evasion discovery evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe
2532	attrib.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BD04571-7860-11EF-913A-D61F2295B977} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1852	iexplore.exe
1852	iexplore.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2328	2824	f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe	32
PID 2824 wrote to memory of 2328	2824	f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe	32
PID 2824 wrote to memory of 2328	2824	f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe	32
PID 2824 wrote to memory of 2328	2824	f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2560	2328	cmd.exe	34
PID 2328 wrote to memory of 2560	2328	cmd.exe	34
PID 2328 wrote to memory of 2560	2328	cmd.exe	34
PID 2328 wrote to memory of 2560	2328	cmd.exe	34
PID 2560 wrote to memory of 1852	2560	cmd.exe	36
PID 2560 wrote to memory of 1852	2560	cmd.exe	36
PID 2560 wrote to memory of 1852	2560	cmd.exe	36
PID 2560 wrote to memory of 1852	2560	cmd.exe	36
PID 1852 wrote to memory of 2192	1852	iexplore.exe	37
PID 1852 wrote to memory of 2192	1852	iexplore.exe	37
PID 1852 wrote to memory of 2192	1852	iexplore.exe	37
PID 1852 wrote to memory of 2192	1852	iexplore.exe	37
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 1696	2560	cmd.exe	38
PID 2560 wrote to memory of 908	2560	cmd.exe	39
PID 2560 wrote to memory of 908	2560	cmd.exe	39
PID 2560 wrote to memory of 908	2560	cmd.exe	39
PID 2560 wrote to memory of 908	2560	cmd.exe	39

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe
2532	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\dataread\1.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://wWW.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\dataread\1.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\dataread\2.bat
      4⤵
      PID:908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\dataread\3.bat""" /f
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\dataread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1976
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\dataread\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2532
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\dataread\2.inf
        5⤵
        
        PID:1512
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:1992
- C:\Users\Admin\AppData\Local\Temp\inlAB4F.tmp
  C:\Users\Admin\AppData\Local\Temp\inlAB4F.tmp
  2⤵
  PID:1836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F0A56C~1.EXE > nul
  2⤵
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
645B

MD5
4cafe2ab2ae87e0e3a16f6bd99e92437

SHA1
45757e5b258e3190ea4d4b092375bded4d5ea4fd

SHA256
90896bc5f40509bc3ed86e17cae17da22b4f4ab0e424dc4557b24eccc53429ce

SHA512
123a945a361a07a356361e796159406bff31dbfbe68afaa1f22e144dc2b4025d23112844db70e651b9ee41f674d8efb4cd10b23ee4992d9538de7ada6534f2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat

Filesize
55B

MD5
6f40aa13b4733d99a56ea538082114a1

SHA1
b267129b905c29bf1a74cad85bf6a31e6f5da4c1

SHA256
3f7525c06ba96afb5b39c5c84e229448cfe7da22474a6e351111bc13070e7413

SHA512
16d5b9f62cbff8063f9a1db44eb77e9981d659deb6b96603d9fa9365455ad41d6934d386c7740c4c53afa85b9a839b8a0d43db76090f125c9950fba608b3ab8c

Download Submit
C:\Users\Admin\AppData\Roaming\dataread\1.bat

Filesize
3KB

MD5
b21e4f653320b34a01a860b1cf00c861

SHA1
3de8c41f014512ec793c3452b3c96f832644b0f0

SHA256
29a23c064b35e49d619825b67bf8b01ad6ba4c65e50e167bd69416cdca92d4bf

SHA512
6f791ca6c1929779e8c72b4c5c3ec79c8bd134845679e17915a4758a03b847efe5454fefe3af8be1eb17277ba73612d1534d09734c171f82b7ac351893cd8d9c

Download Submit
C:\Users\Admin\AppData\Roaming\dataread\1.inf

Filesize
372B

MD5
b12963b468b68f030e9f0657b61be195

SHA1
e14aa110ef8a64ebc5eae328b1bec484bb2a71cf

SHA256
0d55327ae35340672d49f662512a7519302ead8ed74bc2d3a3c7a5f63b01fd98

SHA512
6a78a615026f5f2365441275174406120f32ef3e25554d7c9d7ed4b26c25620baab9e29f2a2da559723e92f2b14cfb7d7fc2ca8e5b70a5cffa17a5d2af683d0e

Download Submit
C:\Users\Admin\AppData\Roaming\dataread\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\dataread\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\dataread\2.inf

Filesize
249B

MD5
ddf8482343b38e425558a5ea06c99cdb

SHA1
1109e4d5ef572915cafa82327d4537696d746e53

SHA256
c054ba607ea2db904ef8bf8ab83a4e68dbf32c1b41cfd6e71fd550e886f44de7

SHA512
aacdc2702b58cbcbb73d11dc73c09caa84cbbc50438cbdaf46557ba38249b881bbe08487341a2deec5372b742b7055e8633f7f5008808a713c0f9611c8809e7b

Download Submit
C:\Users\Admin\AppData\Roaming\dataread\4.bat

Filesize
12.3MB

MD5
1f5396178145b59853bcb29d89994425

SHA1
6a10de8da47dbd80fb4c952538601fd33d810de5

SHA256
a38ed27664740b21fd8bb2661477c6b5cb2440c75f5dbf116822c6fb6431f55e

SHA512
de5640117696420c1265d10b55e4801219383df279cfccd050913b91e2c2d169030421b55937f963249b1536029304a9fa7a9790970de2978a486c8e5d659dd8

Download Submit
memory/1852-68-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2824-6-0x00000000010F0000-0x0000000001115000-memory.dmp

Filesize
148KB

Download
memory/2824-38-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2824-5-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2824-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2824-0-0x00000000010F0000-0x0000000001115000-memory.dmp

Filesize
148KB

Download
memory/2824-102-0x00000000010F0000-0x0000000001115000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads