f50de6cc6268c75f0273dc806eeca20389dc6ebfc0de5e821e408f27d2620f40

General

Target

05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
Size

154KB
MD5

05e1a2d1c8f499961d117b0151aa9b57
SHA1

efba452f343aef7d9f14e7643c63c5318845a66b
SHA256

f50de6cc6268c75f0273dc806eeca20389dc6ebfc0de5e821e408f27d2620f40
SHA512

94ff0a69c57a77a358bf06d98e824852946dba18715e5125b156860bc7c947206560b2ace60cbefcc79cb74d3411a5c49808902fe89efa932c12f392bcd0c4eb
SSDEEP

3072:WHUkV92apgkgawkuF9I1doR9AQf1b7BnXoRnGZej2KHRH+lVMYqdl8Sx:Wt72MVganII1doHv1FXoYZ/SHUwdN

Score

8^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E6A6A4A475FCE37F8B5AC2F1244DEB2BFCA5615A\Blob = 030000000100000014000000e6a6a4a475fce37f8b5ac2f1244deb2bfca5615a0400000001000000100000007a68bb633908431943892a3367d06d7a140000000100000014000000ddecb7ce5fc19163068ed0cf17ec5f0837be4d3c190000000100000010000000a45a5658408a95bcc028098f99ce3b06180000000100000010000000ec1a4d9100ee75028fa1a6fae13986150f0000000100000014000000af403a966b3610b47aeeba048ddc0447275094ee2000000001000000c7030000308203c33082032ca00302010202105ffa045562aea8df47225ca526d8507f300d06092a864886f70d01010505003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3037303732353030303030305a170d3039303931353233353935395a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c594f4e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e534543555245204150504c49434154494f4e20444556454c4f504d454e543119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100ee90c94ca7fa561d0bc5f691bf6f9421b0a3ea1a023ba9a76e4910fa28c1e5a85eaa0dbe445f09855a1721cab725a145660330dd5c988ef2f9d8a4d17decc8f51075175e33dfba0f2263422818620e6d6ffcb0e21f707a0f993982e6a33d584135ae9008c989fd47211f6da0ce7e635f518417bc8fbf9b35c57316d9babd783adbb91bed8a219b5831e6eebe1414acbb3b4f9ed12b8fcc845e54ac45515eca7358400bfcfca48ebf9713fa1a3a31230cfa6e7c615e278557eb0a99a24ce65e4495155e07d41a5e8f4a716f903deded74f795eb478ae89fa4bbe37d7ae41ac0239e44db9c21c89454f43a2c4e9be4223e3351f3505096e34e0f9e8a055e37f4110203010001a381d83081d5300c0603551d130101ff04023000303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c301f0603551d250418301606082b06010505070303060a2b060104018237020116301d0603551d0404163014300e300c060a2b06010401823702011603020780303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d301106096086480186f8420101040403020410300d06092a864886f70d01010505000381810049f85fb6768dad0f3404a10c458a21d8a764da5aeae41194aad061706ca3da6f9ec223a9253fe8ac12a513d9866bac1013efeae6e1ec5766a15344c05f21bd4ad208419548a9e869d361a216e33bca39258743a604e4db62eeab3f1fa30277df3e4241d55ce3c0a138bac33927bf60212d91243a953ca3434abd9081ea940e4d	nsinet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo hpfanicgkffmccehnpkikogcffaepkfp = "electronic-group"	nsinet.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	nsinet.exe

Loads dropped DLL 4 IoCs

pid	Process
2196	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
2196	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
2196	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
2196	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Instant Access = "C:\\Windows\\system32\\nsinet.exe /res"	nsinet.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nsinet.exe	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nsinet.exe	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-5-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2196-4-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2196-7-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2196-2-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2196-68-0x0000000005420000-0x000000000544F000-memory.dmp	upx
behavioral1/memory/2128-76-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2196-78-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2128-79-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral1/memory/2128-88-0x0000000010000000-0x000000001004C000-memory.dmp	upx

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\medias\button3.gif	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Center\tray1.ico	nsinet.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\medias\dialer.ico	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\js\js_api_dialer.php	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\dialerexe.ini	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\medias\button1.gif	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\medias\button2.gif	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\SuperBabes.lnk	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\medias\button4.gif	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Center\SuperBabes.lnk	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\SuperBabes.lnk	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Center\SuperBabes.upd	nsinet.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\Common\module.php	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20080227030259\instant access.exe	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.zl	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Windows\dialexe.epk	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
File created	C:\Windows\dialerexe.ini	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsinet.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run"	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E6A6A4A475FCE37F8B5AC2F1244DEB2BFCA5615A	nsinet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E6A6A4A475FCE37F8B5AC2F1244DEB2BFCA5615A\Blob = 030000000100000014000000e6a6a4a475fce37f8b5ac2f1244deb2bfca5615a0400000001000000100000007a68bb633908431943892a3367d06d7a140000000100000014000000ddecb7ce5fc19163068ed0cf17ec5f0837be4d3c190000000100000010000000a45a5658408a95bcc028098f99ce3b06180000000100000010000000ec1a4d9100ee75028fa1a6fae13986150f0000000100000014000000af403a966b3610b47aeeba048ddc0447275094ee2000000001000000c7030000308203c33082032ca00302010202105ffa045562aea8df47225ca526d8507f300d06092a864886f70d01010505003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3037303732353030303030305a170d3039303931353233353935395a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c594f4e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e534543555245204150504c49434154494f4e20444556454c4f504d454e543119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100ee90c94ca7fa561d0bc5f691bf6f9421b0a3ea1a023ba9a76e4910fa28c1e5a85eaa0dbe445f09855a1721cab725a145660330dd5c988ef2f9d8a4d17decc8f51075175e33dfba0f2263422818620e6d6ffcb0e21f707a0f993982e6a33d584135ae9008c989fd47211f6da0ce7e635f518417bc8fbf9b35c57316d9babd783adbb91bed8a219b5831e6eebe1414acbb3b4f9ed12b8fcc845e54ac45515eca7358400bfcfca48ebf9713fa1a3a31230cfa6e7c615e278557eb0a99a24ce65e4495155e07d41a5e8f4a716f903deded74f795eb478ae89fa4bbe37d7ae41ac0239e44db9c21c89454f43a2c4e9be4223e3351f3505096e34e0f9e8a055e37f4110203010001a381d83081d5300c0603551d130101ff04023000303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c301f0603551d250418301606082b06010505070303060a2b060104018237020116301d0603551d0404163014300e300c060a2b06010401823702011603020780303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d301106096086480186f8420101040403020410300d06092a864886f70d01010505000381810049f85fb6768dad0f3404a10c458a21d8a764da5aeae41194aad061706ca3da6f9ec223a9253fe8ac12a513d9866bac1013efeae6e1ec5766a15344c05f21bd4ad208419548a9e869d361a216e33bca39258743a604e4db62eeab3f1fa30277df3e4241d55ce3c0a138bac33927bf60212d91243a953ca3434abd9081ea940e4d	nsinet.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2196	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
2196	05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05e1a2d1c8f499961d117b0151aa9b57_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWow64\nsinet.exe
C:\Windows\SysWow64\nsinet.exe /run -Embedding
1⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

2

T1553

Install Root Certificate

1

T1553.004

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\Multi\20080227030259\Common\module.php

Filesize
16KB

MD5
42cff6a460a2fec50dcaa513796826aa

SHA1
1983b8409a0a7d37829490072680081ac649cbb4

SHA256
b0378e5c13ad79af6ff6dc6b96a65138ba4ae41062111a9c1997f6177615efd4

SHA512
cc60237b9c1076c8b12d8c48e035df2e2892b80645924d9721a96cf846def29f6ff6f8ebcee7d04a27cafd55f9de93bce9e358b90d3b0ec354bde466be4b3bd4

Download Submit
C:\Users\Public\Desktop\SuperBabes.lnk

Filesize
2KB

MD5
340b7a6df1fbd61d160e7caf917e9794

SHA1
9de2fbe195d691983b14b7c7e41b6e39e0e0af47

SHA256
05f752f806dddb52e2522f6939bbec1ab24ebae34de46db30ffc7f8210f9c686

SHA512
c1114b22916a308ef840798d8e6acc41ddd5f08a8766fb66db12a1f070da0ca9ce1ccb779bd708d23f957249e9bd1beea5b12c026e9f5053b65dd6259ec71b84

Download Submit
\Program Files (x86)\Instant Access\Multi\20080227030259\instant access.exe

Filesize
154KB

MD5
05e1a2d1c8f499961d117b0151aa9b57

SHA1
efba452f343aef7d9f14e7643c63c5318845a66b

SHA256
f50de6cc6268c75f0273dc806eeca20389dc6ebfc0de5e821e408f27d2620f40

SHA512
94ff0a69c57a77a358bf06d98e824852946dba18715e5125b156860bc7c947206560b2ace60cbefcc79cb74d3411a5c49808902fe89efa932c12f392bcd0c4eb

Download Submit
memory/2128-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-76-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2128-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-88-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2128-81-0x0000000001EB0000-0x0000000001EB2000-memory.dmp

Filesize
8KB

Download
memory/2128-79-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2196-78-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2196-80-0x00000000051D0000-0x00000000051D2000-memory.dmp

Filesize
8KB

Download
memory/2196-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-68-0x0000000005420000-0x000000000544F000-memory.dmp

Filesize
188KB

Download
memory/2196-67-0x0000000005420000-0x000000000544F000-memory.dmp

Filesize
188KB

Download
memory/2196-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2196-35-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2196-7-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2196-5-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2196-45-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2196-4-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2196-87-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2196-41-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2196-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-2-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2196-104-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2196-105-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2196-106-0x0000000005420000-0x000000000544F000-memory.dmp

Filesize
188KB

Download
memory/2196-107-0x0000000005420000-0x000000000544F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads