16571df7675759662d0f30aa2079cf082fb4f999a192c6fcc56a6e21e0a73e8a

General

Target

eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe
Size

3.1MB
MD5

eef272c5ef4f066483053a47dde0f4be
SHA1

396be9a12adf78335fa1558ce9816cd5c1a96d33
SHA256

16571df7675759662d0f30aa2079cf082fb4f999a192c6fcc56a6e21e0a73e8a
SHA512

bf998cb631030722acaeeb606dbb41b03466a67524c917c0d06a5978920b363ee85925ddd33bd78400c805deda8bcd648685db3aa8e0d3d1312e0c4c6b5a2e46
SSDEEP

49152:uiJk3JUTeXWgMBM2tz4eJW365sHho8J1oYh6MhOqu1:rJMJeBO4PJAYsH38y6a6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	BeatTrojanScan.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe
2760	BeatTrojanScan.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2776-35-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BeatTrojanScan.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	BeatTrojanScan.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2760	BeatTrojanScan.exe
2760	BeatTrojanScan.exe
2760	BeatTrojanScan.exe
2760	BeatTrojanScan.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2760	2776	eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2760	2776	eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2760	2776	eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2760	2776	eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eef272c5ef4f066483053a47dde0f4be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\SubDirectory\BeatTrojanScan.exe
  "C:\Users\Admin\AppData\Local\Temp\SubDirectory\BeatTrojanScan.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FP3E58.tmp

Filesize
195B

MD5
dfc27890c2d7386b6c34dd83af455566

SHA1
fff70f41af7588966dba829275b70c952404634f

SHA256
f0903831a8f98c9879839a0dc40a60678f889d62248ed84fc51d4ae7dbb5463b

SHA512
590d77bc92f5f03ab4576d7f47fddc13b70a06cf0711728bce379f446bb04917fe2e8f6485a0b7c986336fd85e91caae6022c967e7924d0118d27d4e1aff9dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SubDirectory\BeatTrojanScan.dat

Filesize
146KB

MD5
2b707e843c78468ccd6769639fd548c0

SHA1
c4b4fdb47ab57126603585fe6c1b5e1388384797

SHA256
faba07cb2628a06249c526d990ca30f29b0e26c8094d81e75557666ca3e03824

SHA512
59d9830dc4355ef3aff1f82b6a45589a652d10aab880ad16c56325aa313086134a3e0756839738b7828e95479a9a877dd1668bb0f2d720ad818af8d0a183282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SubDirectory\BtSetting.ini

Filesize
29B

MD5
a1f63aea466c9c7f3d22054c1f63bfd7

SHA1
c69e9d080654fd698543fb89c67d7cba30407866

SHA256
6160b024d88c925fb3965afe8d197c1d7eb8ce75995bad0e26a53a9c8154d8df

SHA512
42d2ded032481bee21a27a9e659803ac938da3685d6ca7d7a767864b06f4fdeb759a4820f42184959c9de1754d0194b53f4b27f2d50ffd66ae5fc5a037dcce78

Download Submit
C:\Users\Admin\AppData\Local\Temp\SubDirectory\HotfixSetting.ini

Filesize
188B

MD5
b356cd190a0e4b6aef51d27c8b45c8f9

SHA1
5afafa267d063d822962a5f9153a3eb04afdb728

SHA256
d437fb1537c5b8000b411c9932c5d4cc43e4698f158911417794e8f986132749

SHA512
9b08d56bc005c963f2755d5dda4a0f7f0301e5a0c702f366e02f0b185409d908c45fb4043382ed8f970d886e5ed0424c43cd821ebb25212a3564202a87e5747c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SubDirectory\Lang\Chinese.dat

Filesize
3KB

MD5
fcaa060782789ee8077d63ea3232aefe

SHA1
8ce2469bfee46a54f0123061c949114d89f2e1e6

SHA256
8c6cc6690b44d193398536e4a89897bead1d8c6337741889a8483cc888cfe1ef

SHA512
9b1639576ea8c02947ba56c7948c02eeb7dcc888f37d5308c9285deaf65b3f7407e21dd0d5a1ad3eff222068e9ea404630c860bef5cf7a8dd056a46c4295a4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SubDirectory\Office2007Blue.dll

Filesize
320KB

MD5
6196c2b3c730dfe4eb2072cbf0126a4c

SHA1
78a7a4320eaa6cf3c9b5ed3bfc727f8f5ee8b93f

SHA256
054cc0bc3a8a6e32625d34706268d078de10aff60f33bfe9414b4db73c09f9a5

SHA512
5721f8886d363b6b68378482be62eee90415c64ca3d34aad944c8c23cec8e75c52e7a1e0f636d7833d3b44e5951fdc239b8d344c9e3775783f350ee34736561d

Download Submit
\Users\Admin\AppData\Local\Temp\SubDirectory\BeatTrojanScan.exe

Filesize
876KB

MD5
adb40b638eecf586def9bda2c9df6291

SHA1
5b3898c6c70f0c4fa29834aefc8e486f3e720049

SHA256
9c4e43c36f29f5c3e7989fa03ef2a9f6e72e89ad5c70a77768b80a43089ac23f

SHA512
2113e3413f39dbbc056152a52ddc05500c944e8c7aae12968bcebb12a69ca30b85b421f13bd3111011ebe804089054e9f5046c749daf5ea8cb5f61d9eaba8dd4

Download Submit
memory/2776-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2776-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing