7842e6dce6549a3fb02280c676c7ee65c26d48dc0e22eab1f10e692bba2532d9

General

Target

0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
Size

173KB
MD5

0a1604b307eeaf470ba503a7f9b7ef5c
SHA1

329ac8273929c70f0ae70fc71b90cc2770155435
SHA256

7842e6dce6549a3fb02280c676c7ee65c26d48dc0e22eab1f10e692bba2532d9
SHA512

7f3d6cb30daebc47ed848f41b2c7b1d8686d66c973c99f70270b24de1dc726a74fcfe0648ba2e1bcf3a4fbd9cfdffb75ab12292670bbb8b32e1d34bfdc41d8a1
SSDEEP

3072:1pzRNYuluupWyvbOijh7UAoaI52pySvl3nW0CWcscGF8ZHmt4qCWX4wj:1ZRvupm9UX5WflXW5Wc88wGhonj

Score

6^/10

discovery evasion trojan upx

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nsinet.exe	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nsinet.exe	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5088-4-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral2/memory/5088-1-0x0000000010000000-0x000000001004C000-memory.dmp	upx
behavioral2/memory/5088-3-0x0000000010000000-0x000000001004C000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20100105020150\instant access.exe	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100105020150\Common\module.php	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100105020150\medias\dialer.ico	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100105020150\js\js_api_dialer.php	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100105020150\dialerexe.ini	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.zl	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Windows\dialexe.epk	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
File created	C:\Windows\dialerexe.ini	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run"	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5088	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
5088	0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a1604b307eeaf470ba503a7f9b7ef5c_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk

Filesize
2KB

MD5
557f4b6e4f62e0601144a5c5d7cadea7

SHA1
132d6d39a330158d0841165124e24fd33a680666

SHA256
f64ff78defd554ad628b9fad63bb3f6115c497baa3e21f3613306b37af9e6be6

SHA512
8c7663ad35df5a9545f3fee72e4cbb3875f913fe6e1c51276b9613104e591045c79ebbc3c3302cd26ad23912044e3e9df60344b9e31f3e5f6f5da79aade9c16c

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20100105020150\instant access.exe

Filesize
173KB

MD5
0a1604b307eeaf470ba503a7f9b7ef5c

SHA1
329ac8273929c70f0ae70fc71b90cc2770155435

SHA256
7842e6dce6549a3fb02280c676c7ee65c26d48dc0e22eab1f10e692bba2532d9

SHA512
7f3d6cb30daebc47ed848f41b2c7b1d8686d66c973c99f70270b24de1dc726a74fcfe0648ba2e1bcf3a4fbd9cfdffb75ab12292670bbb8b32e1d34bfdc41d8a1

Download Submit
C:\Windows\dialerexe.ini

Filesize
807B

MD5
664e966a342edc18c400cda96ac9571d

SHA1
addb31a2fbce6418bc366c43ace648914130cf4b

SHA256
5bc7897ade84c52627bfe83cfd10ab95c61d75d5e262e9a8206e3c2ec6e5323b

SHA512
3a6c75bdd94fa75a2c9aa377538c3430f9401adb317c0dad07f999feaf01a5569b5bbca9955c93ea114b8004ad4a8e0c06ddbe8443ef5b6424464755c825e5e1

Download Submit
memory/5088-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5088-4-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/5088-1-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/5088-5-0x0000000000400000-0x0000000000443908-memory.dmp

Filesize
270KB

Download
memory/5088-3-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing