cd7681c6ca1b1ea41d0cef919d794f20fe89e88518d5b70fd67a1033dad272d4

General

Target

01a98142b184b284e6540f933de8cc31_JaffaCakes118.dll
Size

164KB
MD5

01a98142b184b284e6540f933de8cc31
SHA1

aa8cdcb7f1de25bad359e76c9355785210cecf6a
SHA256

cd7681c6ca1b1ea41d0cef919d794f20fe89e88518d5b70fd67a1033dad272d4
SHA512

4d0b86b18f0cada2ed804ab1c11c6c14e3fcc517c8be35a8c7d221d5b260a596a8e91090d8ef63a665ef8c972b98eba3d697d22794a4cf1ea69a03dbec1b05e9
SSDEEP

3072:1xvRNNRig4E1RxegxzkgWO+pglzhqWo2HhjOYLnHxZsakt7ae:3RUDW5WOUgvq52fH4nt73

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\jetemfilaso.dat,StartAs"	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~3\jetemfilaso.dat	rundll32.exe
File opened for modification	C:\PROGRA~3\jetemfilaso.dat	rundll32.exe
File created	C:\PROGRA~3\osalifmetej.dat	rundll32.exe
File opened for modification	C:\PROGRA~3\osalifmetej.dat	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4608	rundll32.exe
4608	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4608	2824	rundll32.exe	91
PID 2824 wrote to memory of 4608	2824	rundll32.exe	91
PID 2824 wrote to memory of 4608	2824	rundll32.exe	91
PID 4608 wrote to memory of 3532	4608	rundll32.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\01a98142b184b284e6540f933de8cc31_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\01a98142b184b284e6540f933de8cc31_JaffaCakes118.dll,#1
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
1⤵
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\jetemfilaso.dat

Filesize
1.9MB

MD5
223682680f1668e7d6e40113504d3d6d

SHA1
599fcaf38d33f6383599ab7ec16ab808a20fbadd

SHA256
df753de2575548e624c81a8b109bb119cec9b94c2e9004ed4f1ab269b147612d

SHA512
d193ba5c0f1fa1785bf47ea4bcfa3b5683a3f5dc3af90b2fd03fa2d2add26210e15724a31078eb0da3c7321a531aa809704fd4280783279569cc68e9b869d09a

Download Submit
memory/4608-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4608-2-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4608-1-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/4608-3-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4608-17-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/4608-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads