6017c9c427da769de7dedf91d1250c2a32a34b71a4e1fe3389362c1b9f782722

General

Target

fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
Size

1.1MB
MD5

fa6ceab0262055609beab19609de8482
SHA1

d19410d2489d313864dce3c327865c8193ee5ecf
SHA256

6017c9c427da769de7dedf91d1250c2a32a34b71a4e1fe3389362c1b9f782722
SHA512

c1e08fbfefd28d3b8d3a5faaca79c0f7b0ec7df5f74e71ecf25f83c24baa159e7dcbd40f32f8d8786f9db97ebc783dbbfffebf8bb1e12999ac430bec20ee2803
SSDEEP

12288:FSjzwRzH1RighUFZzHtC9FDY8c8H+Lm/yjxeiSOHTApwn2fTrNsef1JOXHXTSeD9:geVRrhMxY9FDY8cLa/OerzTrNtSjS

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\csrss.exe"	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	csrss.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-0-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-30.dat	upx
behavioral2/memory/5068-34-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/memory/5068-37-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/memory/3924-42-0x0000000000400000-0x000000000051F000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\winlogs.dll	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
File opened for modification	C:\Windows\winlogs.dll	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
File created	C:\Windows\csrss.exe	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
File opened for modification	C:\Windows\csrss.exe	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
File opened for modification	C:\Windows\winlogs.dll	csrss.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048fbccd11683704b8576130055a65001000000000200000000001066000000010000200000004b7b00740374aaa651011b2924434a10c9448e6d8539244f085647b9bb280c64000000000e800000000200002000000077e9af8ff5e0758695717b62005e18ed3839e4cf2d0d74ecfdcdb5635c8d80a92000000022264a139b82e7328a4cbf299fb0cd9752c2ef2b15909e2e44ac058e018371a240000000d0921dce82f2c23886eb2dfc8b268921b637823d7e22f8156fe338ca336624d0382b8eae3d4677907da9c71fbe85672a3c2f1b6a592e1dba9a9eedbc35540594	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0268b12dc3ac101	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F09B0C3E-7CCD-11EF-9A03-5ED96FC588C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048fbccd11683704b8576130055a6500100000000020000000000106600000001000020000000dc7a6da4495d4def5bde76ac1d808552485084b509d9021fab4d99fa5d075ee0000000000e8000000002000020000000a09dfcf7d364497692be85ff8231131163372521326c04a5741e80d6ceae028920000000869e320404784784a891ee561c1a32913cc9c383a16b5451e0720801a2683b6040000000026f7a8a99d547ab26194def6d9f48f5c2377850910535091741ebeee6391cd7942e5658b4afeae31454c82d98f0aedeca0fa0f5e197beb2511aaddd37f54de1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1839824621"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03f7f12dc3ac101	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3924	csrss.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3872	iexplore.exe
3924	csrss.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3872	iexplore.exe
3872	iexplore.exe
116	IEXPLORE.EXE
116	IEXPLORE.EXE
116	IEXPLORE.EXE
116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3872	5068	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe	82
PID 5068 wrote to memory of 3872	5068	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe	82
PID 5068 wrote to memory of 3924	5068	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe	83
PID 5068 wrote to memory of 3924	5068	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe	83
PID 5068 wrote to memory of 3924	5068	fa6ceab0262055609beab19609de8482_JaffaCakes118.exe	83
PID 3872 wrote to memory of 116	3872	iexplore.exe	84
PID 3872 wrote to memory of 116	3872	iexplore.exe	84
PID 3872 wrote to memory of 116	3872	iexplore.exe	84

C:\Users\Admin\AppData\Local\Temp\fa6ceab0262055609beab19609de8482_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa6ceab0262055609beab19609de8482_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\image010.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:116
- C:\Windows\csrss.exe
  "C:\Windows\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\image010.gif

Filesize
105KB

MD5
d1ba4a0125b4ddd0af15f8e7670d02b9

SHA1
6c306fa79757b57cb288df2a81838f60c800f939

SHA256
80c2a0bcd1abafc7489091da19c31361d26c42db5d695a932e8f97b6be447e82

SHA512
f6bc11f061c5cbd81dc1a73ad2c2ab494ff681b79bf6264519e18b20d5adf9f55c76a3f09c311757cef78f3db7a3d34721efb4f9caf11dadec7fc2f9faeadaac

Download Submit
C:\Windows\csrss.exe

Filesize
1.1MB

MD5
fa6ceab0262055609beab19609de8482

SHA1
d19410d2489d313864dce3c327865c8193ee5ecf

SHA256
6017c9c427da769de7dedf91d1250c2a32a34b71a4e1fe3389362c1b9f782722

SHA512
c1e08fbfefd28d3b8d3a5faaca79c0f7b0ec7df5f74e71ecf25f83c24baa159e7dcbd40f32f8d8786f9db97ebc783dbbfffebf8bb1e12999ac430bec20ee2803

Download Submit
C:\Windows\winlogs.dll

Filesize
243B

MD5
598cfa69ce34303d4c2e6c34b6d0f954

SHA1
21a0d4c6251bd0e9e4f3d15928a8fef6741149c5

SHA256
eff0f8bf1f75cc94c7ec091414fd8387fe3797fccc6ec83aa59e7a969890eefd

SHA512
1f03b003f1a24e4cd48b50e9d4b06ff18ac57e51f90d9ffa0d4d80b63f8354a23935092459c39fb0343a72256edce3a19b1af83e3236e0281f887b3f9d407e7c

Download Submit
memory/3924-35-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3924-42-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3924-43-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/5068-0-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5068-1-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/5068-34-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5068-37-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads