4b93c0ded1b12e763335652da79ba45c42dd76ff208fbc199216ed9a92703891

General

Target

3fdabca3e770d9e9089a40629d215b91_JaffaCakes118.dll
Size

313KB
MD5

3fdabca3e770d9e9089a40629d215b91
SHA1

980b39c1aac020567d047ebff7502ecc3bda7318
SHA256

4b93c0ded1b12e763335652da79ba45c42dd76ff208fbc199216ed9a92703891
SHA512

58db99b0f8d549f839feb0cee5f7c5e4d0213d390bab48962d58f919faa1c835c040d53ca4c75bb0162a9ccde01cca9fe077814e762f8313f0995a57709b3163
SSDEEP

6144:Kf4Np33ku1SRwx9D+DND29GsVND0fZWkYkWcACqhQDG:c4DHktRKoa9/VNo0kFdAlQDG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1244	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
796	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tsmqcnfe = "regsvr32.exe \"C:\\ProgramData\\tsmqcnfe.dat\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tsmqcnfe = "regsvr32.exe \"C:\\ProgramData\\tsmqcnfe.dat\""	Explorer.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
796	rundll32.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeCreateGlobalPrivilege	1556	DllHost.exe
Token: SeShutdownPrivilege	1556	DllHost.exe
Token: SeDebugPrivilege	1556	DllHost.exe
Token: SeCreateGlobalPrivilege	1656	rundll32.exe
Token: SeShutdownPrivilege	1656	rundll32.exe
Token: SeDebugPrivilege	1656	rundll32.exe
Token: SeCreateGlobalPrivilege	796	rundll32.exe
Token: SeShutdownPrivilege	796	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 1656 wrote to memory of 796	1656	rundll32.exe	29
PID 796 wrote to memory of 1244	796	rundll32.exe	20
PID 796 wrote to memory of 1244	796	rundll32.exe	20
PID 796 wrote to memory of 1556	796	rundll32.exe	22
PID 796 wrote to memory of 1556	796	rundll32.exe	22
PID 796 wrote to memory of 1656	796	rundll32.exe	28
PID 796 wrote to memory of 1656	796	rundll32.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1244
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3fdabca3e770d9e9089a40629d215b91_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3fdabca3e770d9e9089a40629d215b91_JaffaCakes118.dll,#1
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\tsmqcnfe.dat

Filesize
248KB

MD5
a4521b8844fe29b076a8a266a2c5c3d0

SHA1
1f0ba986a239cadfc9228faccc8e629a63464369

SHA256
7a3139468d4626f01dbd3e3a5dee2116693b7c1a6bab6a784d3581cb35a82a47

SHA512
6f1fa0316942bfe6420720560962a8aab87e2b73567f7e04515cbd2b65ddfb91dd4de22b81c473adc67ad5fa0839bf922a14d9c7631c56409453137d8cf41e42

Download Submit
memory/796-0-0x0000000010005000-0x0000000010008000-memory.dmp

Filesize
12KB

Download
memory/796-1-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/796-3-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/796-12-0x00000000001C7000-0x00000000001CA000-memory.dmp

Filesize
12KB

Download
memory/796-13-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/796-14-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/796-35-0x00000000001C7000-0x00000000001CA000-memory.dmp

Filesize
12KB

Download
memory/796-36-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/796-37-0x0000000000D30000-0x0000000000DA8000-memory.dmp

Filesize
480KB

Download
memory/796-34-0x0000000010005000-0x0000000010008000-memory.dmp

Filesize
12KB

Download
memory/1244-22-0x0000000002A70000-0x0000000002AD8000-memory.dmp

Filesize
416KB

Download
memory/1244-24-0x0000000002A70000-0x0000000002AD8000-memory.dmp

Filesize
416KB

Download
memory/1244-23-0x00000000775C0000-0x00000000775C1000-memory.dmp

Filesize
4KB

Download
memory/1244-27-0x0000000002A70000-0x0000000002AD8000-memory.dmp

Filesize
416KB

Download
memory/1244-25-0x00000000029A0000-0x00000000029ED000-memory.dmp

Filesize
308KB

Download
memory/1244-19-0x00000000029A0000-0x00000000029ED000-memory.dmp

Filesize
308KB

Download
memory/1556-28-0x00000000775C0000-0x00000000775C1000-memory.dmp

Filesize
4KB

Download
memory/1556-29-0x0000000001E70000-0x0000000001ED8000-memory.dmp

Filesize
416KB

Download
memory/1656-30-0x00000000775C0000-0x00000000775C1000-memory.dmp

Filesize
4KB

Download
memory/1656-31-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/1656-39-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads