d675f81960e27a32b69e02cae2dd6c58327c5378bce4a9e6142630d7fffdb051

General

Target

36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Size

647KB
MD5

36b3356906581a9501b10b8f2cb1414e
SHA1

f0dea476f2fa001a364590635de5cf6691489f5e
SHA256

d675f81960e27a32b69e02cae2dd6c58327c5378bce4a9e6142630d7fffdb051
SHA512

4a4f3c511aaed6b65bd4edefda540ef791ce11fe8a7acd8dc6eee18c6cb16de9fadc5c0417434da29ceb9fb328075b3b6167cf6336c96cbfcfb97686a6d2f61d
SSDEEP

12288:twZ+r2ML1m+WEB3b6zZwlAAG72vDj6knSFcYTnKuVPYlFdRAT:tg+rdL2EB3uz6A172v6kndeKOPYluT

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	install.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	install.exe
2036	mfc140fra.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	regsvr32.exe
1724	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe /k"	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe /k"	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfc140fra = "C:\\Windows\\SysWOW64\\mfc140fra.exe"	mfc140fra.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{868AFD45-13E7-40ED-A67C-1234DC11FF62}	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\8jnpreb.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install.exe	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.exe	install.exe
File opened for modification	C:\Windows\SysWOW64\5ny7.dll	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\8jnpreb.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\8jnpreb.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File opened for modification	C:\Windows\8jnpreb.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfc140fra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\InprocServer32\ = "C:\\Windows\\SysWow64\\5ny7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1340	1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	86
PID 1884 wrote to memory of 1340	1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	86
PID 1884 wrote to memory of 1340	1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	86
PID 1340 wrote to memory of 2036	1340	install.exe	87
PID 1340 wrote to memory of 2036	1340	install.exe	87
PID 1340 wrote to memory of 2036	1340	install.exe	87
PID 1884 wrote to memory of 1724	1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	89
PID 1884 wrote to memory of 1724	1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	89
PID 1884 wrote to memory of 1724	1884	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\install.exe
  "C:\Windows\system32\install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\mfc140fra.exe
    "C:\Windows\SysWOW64\mfc140fra.exe" [*]install.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2036
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\5ny7.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\8jnpreb.sys

Filesize
647KB

MD5
36b3356906581a9501b10b8f2cb1414e

SHA1
f0dea476f2fa001a364590635de5cf6691489f5e

SHA256
d675f81960e27a32b69e02cae2dd6c58327c5378bce4a9e6142630d7fffdb051

SHA512
4a4f3c511aaed6b65bd4edefda540ef791ce11fe8a7acd8dc6eee18c6cb16de9fadc5c0417434da29ceb9fb328075b3b6167cf6336c96cbfcfb97686a6d2f61d

Download Submit
C:\Windows\SysWOW64\5ny7.dll

Filesize
330KB

MD5
01e06192968763153af268754f32145f

SHA1
61c7df72f2b87187c98cfe7d6584105576b07691

SHA256
8301d66d0a02ee47734f8bed9ea94b124ea99aa2c623396d1f34a86455d9fcd0

SHA512
5e79667d5d13c843c1fb6a66f3d3635e58461e24448aae203da06fb4538f1e1ea5e234f41c06a0da1d00a3fd377290f7e9cc81b105cada7d47df2807ccdb9fd9

Download Submit
C:\Windows\SysWOW64\install.exe

Filesize
39KB

MD5
f337301737e731703a679b1f57935e6b

SHA1
73f2375c3e2fce1f19c861dea67a2016236310f3

SHA256
9d17f711e76f5ceff9692473e422a782adb10c32e3a0bf7e0fc942a5baf088f6

SHA512
cd83f58be56f39dd279b4528ba542e4673e2237a0f203954bd7e366b4787c8f6c6185815ecd217336f215efb2f91d3691a27b7c6b643de06600b0a38756fe418

Download Submit
C:\Windows\SysWOW64\mfc140fra.exe

Filesize
53KB

MD5
d28eec2092ea8c17f5a8d8ef52806b01

SHA1
225ceb74c7de5a00fcc74c71bc57d7e5d973645f

SHA256
a833e01ab3197afbfd0ab24c0d39eadc706b120702ca745a7b336c8829165f3d

SHA512
e2e537e359fd181861933d259d5cd00feb84bf5a6700296b7517c4ecb86ac350271f5649c619b6447823c7bf5c3467968826689be556700516d73415d64d53b1

Download Submit
memory/1340-23-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1340-37-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1724-59-0x00000000021B0000-0x000000000221A000-memory.dmp

Filesize
424KB

Download
memory/1724-58-0x00000000021B0000-0x000000000221A000-memory.dmp

Filesize
424KB

Download
memory/2036-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads