0e2ff7a0c75cddbe2570688ae3e8afff5b3c2cfa4521474943595a4d96e378a5

General

Target

416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe
Size

1.0MB
MD5

416e2b46a47c74d0ae1e75ac69aee03e
SHA1

909ef0d9fc38c0900072e5d7ac3495f5d263e5e5
SHA256

0e2ff7a0c75cddbe2570688ae3e8afff5b3c2cfa4521474943595a4d96e378a5
SHA512

0bc2d8744663612a72bd2a3eb591acbc59e35093b239163f9689f4f306ce6052f25c3e47ca9f039e8941955d3c19480144618333fa2594e23e5524db72d9f675
SSDEEP

12288:LHVOPAQj+bkTKTGPMnLeFv6G4lVl+unwsXp8rBrq1oOIKr5iBo+zSayUJHf78C2G:BOPf+jGPM99d5mkvprceuJHfZy0qU3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
19	2964	rundll32.exe
21	2964	rundll32.exe
23	2964	rundll32.exe
29	2964	rundll32.exe
36	2964	rundll32.exe
40	2964	rundll32.exe
41	2964	rundll32.exe
43	2964	rundll32.exe
45	2964	rundll32.exe
50	2964	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	Crypted.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDir = "C:\\WINDOWS\\Media\\wininnet.cpl"	reg.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cc3-13.dat	upx
behavioral2/memory/2476-16-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/memory/2476-22-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/memory/2476-29-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/memory/2476-55-0x0000000000400000-0x00000000005AF000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\java.exe	Crypted.exe
File created	C:\WINDOWS\Media\wininnet.cpl	Crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3672	2964	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DOMStorage\bb.com.br	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\bb.com.br\NumberOfSubdomains = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DOMStorage\autoatendimento.bb.com.br	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\autoatendimento.bb.com.br\ = "86"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\bb.com.br\Total = "86"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\bb.com.br	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2964	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2964	rundll32.exe
2964	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2476	3204	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	86
PID 3204 wrote to memory of 2476	3204	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	86
PID 3204 wrote to memory of 2476	3204	416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe	86
PID 2476 wrote to memory of 2604	2476	Crypted.exe	87
PID 2476 wrote to memory of 2604	2476	Crypted.exe	87
PID 2476 wrote to memory of 2604	2476	Crypted.exe	87
PID 2476 wrote to memory of 3808	2476	Crypted.exe	88
PID 2476 wrote to memory of 3808	2476	Crypted.exe	88
PID 2476 wrote to memory of 3808	2476	Crypted.exe	88
PID 3808 wrote to memory of 2344	3808	cmd.exe	91
PID 3808 wrote to memory of 2344	3808	cmd.exe	91
PID 3808 wrote to memory of 2344	3808	cmd.exe	91
PID 2344 wrote to memory of 2964	2344	control.exe	94
PID 2344 wrote to memory of 2964	2344	control.exe	94
PID 2344 wrote to memory of 2964	2344	control.exe	94

C:\Users\Admin\AppData\Local\Temp\416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\416e2b46a47c74d0ae1e75ac69aee03e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v WinDir /d "C:\WINDOWS\Media\wininnet.cpl" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k start C:\WINDOWS\Media\wininnet.cpl
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\WINDOWS\Media\wininnet.cpl",
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\WINDOWS\Media\wininnet.cpl",
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 2704
        6⤵
        Program crash
        
        PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2964 -ip 2964
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
490KB

MD5
722e46f7acdc9ad4b63bf416e9b0985b

SHA1
86cd18c974bc226e24576e13b1e10a1519d52f65

SHA256
e03039bc51b004ca869518e52b05d0eb21fd104e83657e70bcf6aa74674729e1

SHA512
84f3f8d0c1dee0d831435b83e4a124c5540781f8526b06d106a782568f148cc3d2d48c883bf3c4ecb6ae7d0fa69614216021e3d7d5b96cad61330ac6e44c6d16

Download Submit
C:\WINDOWS\Media\wininnet.cpl

Filesize
722KB

MD5
d04386e99e59fc97312de8cb0383a18c

SHA1
e421a922bd4aea728e5ac7e543bd60b7df282233

SHA256
2455d276552b74837007d6a3e9c92d3f27976235a0f9ec8edbff5c63136f9148

SHA512
47e94957a71205ee1a9d7bc1d30e8f4834e786d7ce9b8341b44100268a73b08f8e42de5623e1a95492c52da8e8c74a0a2efd0b6401b1ff336e900e518b17508e

Download Submit
memory/2476-16-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2476-19-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2476-55-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2476-29-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2476-24-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2476-22-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2964-112-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2964-30-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3204-7-0x000000001CA10000-0x000000001CA5C000-memory.dmp

Filesize
304KB

Download
memory/3204-0-0x00007FFC0F675000-0x00007FFC0F676000-memory.dmp

Filesize
4KB

Download
memory/3204-21-0x00007FFC0F3C0000-0x00007FFC0FD61000-memory.dmp

Filesize
9.6MB

Download
memory/3204-2-0x00007FFC0F3C0000-0x00007FFC0FD61000-memory.dmp

Filesize
9.6MB

Download
memory/3204-8-0x00007FFC0F3C0000-0x00007FFC0FD61000-memory.dmp

Filesize
9.6MB

Download
memory/3204-1-0x000000001BCF0000-0x000000001BD96000-memory.dmp

Filesize
664KB

Download
memory/3204-3-0x000000001C280000-0x000000001C74E000-memory.dmp

Filesize
4.8MB

Download
memory/3204-6-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/3204-5-0x000000001C8B0000-0x000000001C94C000-memory.dmp

Filesize
624KB

Download
memory/3204-4-0x00007FFC0F3C0000-0x00007FFC0FD61000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads