80461ef1cf185b27ee2403170a20a87a6ddbf8481dfe6e939a8582c0a939d8ad

General

Target

17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Size

5.1MB
MD5

17196f1ad48ddeac4dd67dda4ec23a8e
SHA1

27acf0077404613c5970dd32b8972af7d060616c
SHA256

80461ef1cf185b27ee2403170a20a87a6ddbf8481dfe6e939a8582c0a939d8ad
SHA512

a33daeab068ba8b40468103302370f6fec1fd4db6e2feaa7431e0a8d2ae1f3feaae6c9b685043e5dd42a7a777b65869368e0cbc226e21fbcd50f3189b845dd60
SSDEEP

98304:1jw+1B8W/bHmJ4NwByfAA9OvBuQTINmEKkrAYHRFQz:8gGKNES7QkLlAN

Score

8^/10

discovery evasion

Malware Config

Signatures

Blocks application from running via registry modification 6 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "e_patcher.exe"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "e.exe"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "yylauncher.exe"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "YY.exe"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts2	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\IESettingSync	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
5032	17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17196f1ad48ddeac4dd67dda4ec23a8e_JaffaCakes118.exe"
1⤵
- Blocks application from running via registry modification
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit

Analysis

Sharing