fdf1768bb6fe92be6c1d03ab713fc92e7d0a7ee3f70ade9ac3559178b49c6056

General

Target

b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Size

1.1MB
MD5

b4f2b7450dbf379990d0322d14b1764a
SHA1

db08c17a3bd45226f72d72f3c972df10dfafcef3
SHA256

fdf1768bb6fe92be6c1d03ab713fc92e7d0a7ee3f70ade9ac3559178b49c6056
SHA512

97ebb8589718625e7c11d3267adeb2b69b428b9fdffa8a2c4920065103e189ea6425fb05eb3ddda1d5c622111e9ef2527bc8cb5191372bbf3e8b8869fa17b31c
SSDEEP

24576:T9h/dOr0QrpGYLBPx4yvzBXTCkpM1AzywGIDyfJd5Oh/BXyoOCsw0:TupBPnvzBSmz2rv5Y/kw0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2664	setup.exe
2676	Baidu-Toolbar-jytxz.exe

Loads dropped DLL 9 IoCs

pid	Process
1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
2664	setup.exe
2664	setup.exe
2664	setup.exe
1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
2676	Baidu-Toolbar-jytxz.exe
2676	Baidu-Toolbar-jytxz.exe
2676	Baidu-Toolbar-jytxz.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\newiexplore.exe	setup.exe
File created	C:\Program Files (x86)\Internet Explorer\newiexplore.exe	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\newicon.ico	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baidu-Toolbar-jytxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016d4a-15.dat	nsis_installer_1

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\DefaultIcon	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\DefaultIcon\ = "C:\\Windows\\newicon.ico"	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\ÊôÐÔ(&D)\Command	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\ÊôÐÔ(&D)	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\ShellFolder\Attributes = "10"	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\Open(&O)\Command	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\Open(&O)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE http://www.7322.com"	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\ShellFolder	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\Open(&O)\ = "Open(&O)"	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\ = "Internet Explorer"	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\Open(&O)	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C55FB1A5-F84C-4A69-A0F4-3C191CC873E5}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2664	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2676	1700	b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2736	2664	setup.exe	30
PID 2664 wrote to memory of 2736	2664	setup.exe	30
PID 2664 wrote to memory of 2736	2664	setup.exe	30
PID 2664 wrote to memory of 2736	2664	setup.exe	30
PID 2664 wrote to memory of 2736	2664	setup.exe	30
PID 2664 wrote to memory of 2736	2664	setup.exe	30
PID 2664 wrote to memory of 2736	2664	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f2b7450dbf379990d0322d14b1764a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\Baidu-Toolbar-jytxz.exe
  "C:\Users\Admin\AppData\Local\Temp\Baidu-Toolbar-jytxz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

Filesize
69B

MD5
32f45cd6abc1d26f07b8ddb71871ce05

SHA1
0cc28dc63d50327a74f8e964cdf23ffed05a8699

SHA256
a2023fadce396c9265a61f24b6dcc5e95aaaf2b9efa1eceac2fcc1332322e716

SHA512
f18d1ed212bda39f671fe7d7dac6cc6f5012e17149b57c7a121e666f09d5040c75ced09679bef1e630cd69fc03d824ced178be25b275139e4f4e139a0f96ebb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Filesize
1KB

MD5
c9a18050f85aa3d1ffb6a5f4115b1418

SHA1
935b0a7b75cdb26943ade4bac15a6eeb8cd9da11

SHA256
2a011ac8633ae1a13e0eda7c1674b7176f961898f1dfc34561994f78aa0557d3

SHA512
f3fafca8dba1eb792107835cef1f535893f6e9a18ac6d3a8fcea9980b2264efd2dfe13d61dc4630b2d40cc8f8f5673233305267031323e5cb1f22615e9be7bc7

Download Submit
\Users\Admin\AppData\Local\Temp\Baidu-Toolbar-jytxz.exe

Filesize
842KB

MD5
53313ae428555585f4c4e15311a5af06

SHA1
642b4118708b54bc08a353a2fda3645133c4213f

SHA256
5acbcbd3d6f353efa0c8d12483646c2a33b76058a0b866ad447dfab9cc9a7eea

SHA512
1f6afc216de13dc4dfe2342e579fae74c030383ec45d39339504b0a6487ba0e341196a2c9a91912272915afcece6cac4effb956cacb82d12c968d00af762ccbd

Download Submit
\Users\Admin\AppData\Local\Temp\nso6F19.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
391KB

MD5
6360ccc5468219ef2e92598342387a35

SHA1
7bd1c30f275b1c8304c77909e26cda7fe56ae739

SHA256
4f282896dc504b36d547ab45b3967c2a810b26a96aa850809366af9010fb3137

SHA512
25b64e063e5b806702c1a1a9dd0b3c11cb001c76b329b731211fbc8594a6abe00c77b4326f1dc7250eff53b9a00027b883d4f32ee318ca682d19ef11fe3faecc

Download Submit
memory/2664-50-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing