e9f024687d8e0a76e2cdf6feeeb34650ecab74781b0b1805014fc936fa9693fb

General

Target

14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
Size

4KB
MD5

14b86c3789f4d0693e2eb16c7f2ccf24
SHA1

1937719eaf54770dedefe403f00e490683252203
SHA256

e9f024687d8e0a76e2cdf6feeeb34650ecab74781b0b1805014fc936fa9693fb
SHA512

b66229007bdfbb84e0632441ae233bc9bbd0469792b1350364455a7aa7019380ae56c17153d1b8332bc91d00dbe2103aabdb994761c084ed1b2b77db5414ceb5
SSDEEP

96:meTOQska/XzqPKJULwl0YOqBKT558T7jQ6IVY6WnKjsBNO:meK/XXzq/LwG6a/u76VY9Kj0NO

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000d7deb0e0596e7b9e15831fdc43bbb848e45d6c5a5d6468f0dfbd6a7110869972000000000e8000000002000020000000bb3860341381e6fcb47d375f1acae2c82531142ede6a98963f328e73f56e2bcd200000003b6892679552e1a758f625d0649027ddc9089f3d788b2146896515845ddf2d6a4000000080275bf56b58f8f4174292fcae9602dcb270c092b68f9865e4a2299a1f9274fdbee3c52ed5783b7c4d9dace872aac097ce8783f39d60fb623e0fa588386f75d8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000eaefa626a9237c3b1587f487a5162657102af63654fb2384d051e34ed3fff3e9000000000e8000000002000020000000b5259d5d418cfaccaa5f48e3a21fdd227042384384bd418cbd33542bfd1c77a82000000039c3976763499801bf86cf15839ed543ee21eeea49415f7b446ba5fdd34e4f9a40000000b5ac8217bcb72bca8d6c4aa32a97f6d74cad0300e3863a59800fc58d2a0082c2655bc0cab1374fe8c59d5c8e7443d04f6d036e4227eb9c6f21b4710e42d82411	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303162079716db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205d69079716db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{32864E50-828A-11EF-B1C5-FA5B96DB06CB} = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://yahoo.com/"	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2196	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2196	iexplore.exe
2196	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3236	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe	81
PID 844 wrote to memory of 3236	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe	81
PID 844 wrote to memory of 3236	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe	81
PID 3236 wrote to memory of 4892	3236	cmd.exe	83
PID 3236 wrote to memory of 4892	3236	cmd.exe	83
PID 3236 wrote to memory of 4892	3236	cmd.exe	83
PID 2196 wrote to memory of 1936	2196	iexplore.exe	86
PID 2196 wrote to memory of 1936	2196	iexplore.exe	86
PID 2196 wrote to memory of 1936	2196	iexplore.exe	86
PID 844 wrote to memory of 5052	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe	87
PID 844 wrote to memory of 5052	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe	87
PID 844 wrote to memory of 5052	844	14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14b86c3789f4d0693e2eb16c7f2ccf24_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240623562.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -embedding
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240623578.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240623562.bat

Filesize
110B

MD5
2676bd532fef6a06fdeeefdab845b0ee

SHA1
4c949c3f19417576c91b2da23d078884197d52e9

SHA256
3b3fde5f3be97c4a481ab6fe846f49f6979d3519336efea294ad8fea4cd18ab1

SHA512
abf0f9ff6345525ef6a31fcd372a2ff63fae8098fae4645afb8ab20dac8908b7d6caa6809891df72aafcb081cfb174966868fb1441cf8e2b249d16a6f03e64e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\240623578.bat

Filesize
264B

MD5
485eacd604e81b2c384c743878ce1004

SHA1
00c1290b033104fd6ab968ab7779a8e200f46a47

SHA256
d33c7c8b95badfd9848cfe04cf8974b442d6e9e18e51f6718e96c9eeec0b5f5b

SHA512
ae0cf55b0e3d3b0dbc60b98c8de7dc538c45892b25459aa830613ba6dc72af0d768f14c598477011c64f0f83ba796cb046fe28ec69179974cbb2ba3b45300eac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads