b0afd506b29623f32a909e027bcfdbd10528585358ab4ea2af830dbfdf2479cf

General

Target

39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Size

116KB
MD5

39efd1c1b27d35600b1748c2d7be046f
SHA1

f8542f8a8eb4659f94e7f00703a17deed385427c
SHA256

b0afd506b29623f32a909e027bcfdbd10528585358ab4ea2af830dbfdf2479cf
SHA512

fb8422dd2ec6c6b97ff00f7379517902a344c83ba30620fcae9a48f7f6bd0ddfd5a7108011a844f6086eb0ddbef75039de46941729dbde7bcf2ced126a8a0aaa
SSDEEP

3072:yLk395hYXJgnZH23S4Ee6o8HO8OS/As51A4mvW0:yQqIZH19eN8H1HNmvb

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2448	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
2448	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\5310121012.dat	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\5310121012.dat	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "No"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\URLSEARCHHOOKS	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\InprocServer32	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\InprocServer32\ = "5310121012.dat"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\Programmable\1 = "1"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\VersionIndependentProgID\	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler\about	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\TypeLib	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler\http	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler\http\{53101212-2024-1095-951B-9EA34E34E8CC}\CLSID = "{53101212-2024-1095-951B-9EA34E34E8CC}"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler\about\{53101212-2024-1095-951B-9EA34E34E8CC}	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\ = "Windows HttpFilter"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\ProgID	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\Programmable	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler\http\{53101212-2024-1095-951B-9EA34E34E8CC}	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\PROTOCOLS\Name-Space Handler\about\{53101212-2024-1095-951B-9EA34E34E8CC}\CLSID = "{53101212-2024-1095-951B-9EA34E34E8CC}"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\AppID = "{73A7FFA7-AA3A-49E5-A777-713B7DB78E9C}"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\InprocServer32\ThreadingModel = "Apartment"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\ProgID\	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\TypeLib\ = "{04F7BD61-E11D-4BB3-B6FE-B730BCA713D4}"	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53101212-2024-1095-951B-9EA34E34E8CC}\VersionIndependentProgID	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2448	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
Token: SeBackupPrivilege	2448	39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39efd1c1b27d35600b1748c2d7be046f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy629.tmp\JNsisExt.dll

Filesize
26KB

MD5
0894e240135a952bc74f532ae9b7b6f9

SHA1
a930889f3b8234d0870cd19a7a613b0363266a72

SHA256
c57fc56d5d1c886054cd0cd734945c08abcdb60c355f0ff0882714aa30ad0e41

SHA512
b422dd6684b0d052296284be58bc437659c6e327feb41b3f229ba438c49e54eea257e9b476f294fefb721868dd93bd36ed1a9252c179f0b3013a5e7bb1ecb234

Download Submit
\Users\Admin\AppData\Local\Temp\nsy629.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2448-9-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing