b0b967f7c9262851732a938c9689d6928777a542a26a27ab34b25fc1ef8677cb

General

Target

9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe
Size

68KB
MD5

9ee2d40217261f1bf12969677cb0a5b6
SHA1

5e25b27899e42e99cdb2b147dae1d48850cc878f
SHA256

b0b967f7c9262851732a938c9689d6928777a542a26a27ab34b25fc1ef8677cb
SHA512

099372e858842afe69b7b3ca8aad74ed5835c2fe7ac967b0150aaae36acb5b4426d6afb52569af911308979318dcc2dcf605c215673058535e353b072c79a890
SSDEEP

1536:x6RXs3kY2JwfO0t8HVtolv7xqCUbSVjFa4tbuWgUwo4km:4p8I4eu7eGVJa4BuJ8m

Score

7^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sun\xcrpnzhj0.dll	acprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2672 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2792 rundll32.exe
2792 rundll32.exe
2792 rundll32.exe
2792 rundll32.exe

pid	process
2672	cmd.exe

pid	process
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lpc = "rundll32.exe\"C:\\Users\\Admin\\AppData\\Roaming\\Sun\\xcrpnzhj0.dll\", RegisterDll"	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lpc = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Sun\\xcrpnzhj0.dll\", RegisterDll"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sun\xcrpnzhj0.dll	upx
behavioral1/memory/2792-9-0x00000000037C0000-0x00000000037E5000-memory.dmp	upx
behavioral1/memory/2792-8-0x00000000037C0000-0x00000000037E5000-memory.dmp	upx
behavioral1/memory/2792-7-0x00000000037C0000-0x00000000037E5000-memory.dmp	upx
behavioral1/memory/2792-21-0x00000000037C0000-0x00000000037E5000-memory.dmp	upx
behavioral1/memory/2792-23-0x00000000037C0000-0x00000000037E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exerundll32.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownVerifyBalloon = "3"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Security	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1"	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

2792 rundll32.exe

pid	process
2792	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe

description	pid	process	target process
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2792	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	rundll32.exe
PID 2892 wrote to memory of 2672	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2672	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2672	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2672	2892	9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ee2d40217261f1bf12969677cb0a5b6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\Sun\xcrpnzhj0.dll",RegisterDll
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9EE2D4~1.EXE >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sun\pwt

Filesize
9KB

MD5
0828e138015549c61d0f26be03c97513

SHA1
8b37b865251ccd2b085e25c7fcd40c34d688a55a

SHA256
0ccb4b662fff9f23afd510b35b41a4bad250e35ba2012ad7369bb09105ca5e7a

SHA512
07d5387ba8c6888aa27707eec83b1373e2c41430bf5e52a67ba8181c7ac7e68dcf2931a5fdefc474c7a608b1cf9d7e3ce86fb0d5143f30c64fb557bd36a3994f

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\xcrpnzhj0.dll

Filesize
48KB

MD5
4f4fb4dc236b46688b4f38ba109572ce

SHA1
4ae311d32c78f4fb54e0442622966d40997f34b0

SHA256
e2c88bc909b635917a06af2bb41e073d2b2a850f1951b05c1f481acb5bfaa95c

SHA512
5ef6409e5bf94f5d7725d07aeaaf7c3cf0e51c860d1d2974eed0d547c968abc5226d9770eeb1566b81fb01d4e5145ae43861037cafb49581a610760e716436ab

Download Submit
memory/2792-9-0x00000000037C0000-0x00000000037E5000-memory.dmp

Filesize
148KB

Download
memory/2792-8-0x00000000037C0000-0x00000000037E5000-memory.dmp

Filesize
148KB

Download
memory/2792-7-0x00000000037C0000-0x00000000037E5000-memory.dmp

Filesize
148KB

Download
memory/2792-21-0x00000000037C0000-0x00000000037E5000-memory.dmp

Filesize
148KB

Download
memory/2792-23-0x00000000037C0000-0x00000000037E5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads