0e2ff7a0c75cddbe2570688ae3e8afff5b3c2cfa4521474943595a4d96e378a5

General

Target

416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe
Size

1.0MB
MD5

416e2b46a47c74d0ae1e75ac69aee03e
SHA1

909ef0d9fc38c0900072e5d7ac3495f5d263e5e5
SHA256

0e2ff7a0c75cddbe2570688ae3e8afff5b3c2cfa4521474943595a4d96e378a5
SHA512

0bc2d8744663612a72bd2a3eb591acbc59e35093b239163f9689f4f306ce6052f25c3e47ca9f039e8941955d3c19480144618333fa2594e23e5524db72d9f675
SSDEEP

12288:LHVOPAQj+bkTKTGPMnLeFv6G4lVl+unwsXp8rBrq1oOIKr5iBo+zSayUJHf78C2G:BOPf+jGPM99d5mkvprceuJHfZy0qU3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2780	rundll32.exe
8	2780	rundll32.exe
9	2780	rundll32.exe
10	2780	rundll32.exe
11	2780	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	Crypted.exe

Loads dropped DLL 4 IoCs

pid	Process
2780	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDir = "C:\\WINDOWS\\Media\\wininnet.cpl"	reg.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d21-9.dat	upx
behavioral1/memory/2008-10-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2008-14-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2008-36-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2008-39-0x0000000000400000-0x00000000005AF000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\wininnet.cpl	Crypted.exe
File created	C:\WINDOWS\Media\java.exe	Crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	rundll32.exe
2780	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2008	2520	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2008	2520	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2008	2520	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2008	2520	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	30
PID 2008 wrote to memory of 2892	2008	Crypted.exe	32
PID 2008 wrote to memory of 2892	2008	Crypted.exe	32
PID 2008 wrote to memory of 2892	2008	Crypted.exe	32
PID 2008 wrote to memory of 2892	2008	Crypted.exe	32
PID 2008 wrote to memory of 3056	2008	Crypted.exe	33
PID 2008 wrote to memory of 3056	2008	Crypted.exe	33
PID 2008 wrote to memory of 3056	2008	Crypted.exe	33
PID 2008 wrote to memory of 3056	2008	Crypted.exe	33
PID 3056 wrote to memory of 2636	3056	cmd.exe	36
PID 3056 wrote to memory of 2636	3056	cmd.exe	36
PID 3056 wrote to memory of 2636	3056	cmd.exe	36
PID 3056 wrote to memory of 2636	3056	cmd.exe	36
PID 2636 wrote to memory of 2780	2636	control.exe	37
PID 2636 wrote to memory of 2780	2636	control.exe	37
PID 2636 wrote to memory of 2780	2636	control.exe	37
PID 2636 wrote to memory of 2780	2636	control.exe	37
PID 2636 wrote to memory of 2780	2636	control.exe	37
PID 2636 wrote to memory of 2780	2636	control.exe	37
PID 2636 wrote to memory of 2780	2636	control.exe	37

C:\Users\Admin\AppData\Local\Temp\416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v WinDir /d "C:\WINDOWS\Media\wininnet.cpl" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k start C:\WINDOWS\Media\wininnet.cpl
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\WINDOWS\Media\wininnet.cpl",
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\WINDOWS\Media\wininnet.cpl",
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
490KB

MD5
722e46f7acdc9ad4b63bf416e9b0985b

SHA1
86cd18c974bc226e24576e13b1e10a1519d52f65

SHA256
e03039bc51b004ca869518e52b05d0eb21fd104e83657e70bcf6aa74674729e1

SHA512
84f3f8d0c1dee0d831435b83e4a124c5540781f8526b06d106a782568f148cc3d2d48c883bf3c4ecb6ae7d0fa69614216021e3d7d5b96cad61330ac6e44c6d16

Download Submit
C:\WINDOWS\Media\wininnet.cpl

Filesize
722KB

MD5
d04386e99e59fc97312de8cb0383a18c

SHA1
e421a922bd4aea728e5ac7e543bd60b7df282233

SHA256
2455d276552b74837007d6a3e9c92d3f27976235a0f9ec8edbff5c63136f9148

SHA512
47e94957a71205ee1a9d7bc1d30e8f4834e786d7ce9b8341b44100268a73b08f8e42de5623e1a95492c52da8e8c74a0a2efd0b6401b1ff336e900e518b17508e

Download Submit
memory/2008-10-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2008-14-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2008-39-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2008-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-36-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2520-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-1-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-2-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2520-0-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/2780-35-0x00000000007B0000-0x0000000000869000-memory.dmp

Filesize
740KB

Download
memory/2780-37-0x00000000007B0000-0x0000000000869000-memory.dmp

Filesize
740KB

Download
memory/2780-48-0x00000000007B0000-0x0000000000869000-memory.dmp

Filesize
740KB

Download
memory/2780-49-0x00000000007B0000-0x0000000000869000-memory.dmp

Filesize
740KB

Download
memory/2780-50-0x00000000007B0000-0x0000000000869000-memory.dmp

Filesize
740KB

Download
memory/2780-51-0x00000000007B0000-0x0000000000869000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads