b1ea57d7569fec7d244810cb77a4bfe3220104afab20918febcd44743eeb7e2e

General

Target

f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
Size

234KB
MD5

f42b5ff4ab691b9af3c72cdfda43d419
SHA1

9759512749bdc88c0430b2e664e055f07e46f66b
SHA256

b1ea57d7569fec7d244810cb77a4bfe3220104afab20918febcd44743eeb7e2e
SHA512

ac478171a959eae1517043f8607790bec0840648ef96075d8882235b058ab2b44cc92e924e39108da82598b72a865c8775fcb20c4afefa97e2bc26693c9b2cb6
SSDEEP

3072:m1GQp9T0SQmaEDqSpDZcYLWF95uiLztGtCTrHLgr:P23gIpUF95tzv3gr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1084	YFreeze.exe
2824	server.exe

Loads dropped DLL 8 IoCs

pid	Process
1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2784	2824	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YFreeze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	YFreeze.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1084	YFreeze.exe
1084	YFreeze.exe
1084	YFreeze.exe
1084	YFreeze.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1084	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	29
PID 1744 wrote to memory of 1084	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	29
PID 1744 wrote to memory of 1084	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	29
PID 1744 wrote to memory of 1084	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	29
PID 1744 wrote to memory of 2824	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2824	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2824	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2824	1744	f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe	30
PID 2824 wrote to memory of 2784	2824	server.exe	31
PID 2824 wrote to memory of 2784	2824	server.exe	31
PID 2824 wrote to memory of 2784	2824	server.exe	31
PID 2824 wrote to memory of 2784	2824	server.exe	31

C:\Users\Admin\AppData\Local\Temp\f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\YFreeze.exe
  "C:\Users\Admin\AppData\Local\Temp\YFreeze.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\YFreeze.exe

Filesize
100KB

MD5
da0361b3cadca209285e1e99c920dd61

SHA1
6b8bbb2818df760ec7c744976aac1c2d4809dabf

SHA256
cc46750c3cbca3c122bcd04e4dafae885beb5f979c466f6ce7f5cbd7e501d282

SHA512
2bb42b963c1feef6364b88083713044ecd2d832d8c0c2e69740e93ed0d6aecb48229fe390472f9f266d20e805e4fb94e23df08c40eb672ec20064768d2a72d2a

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
107KB

MD5
6353c2c7a90a00e3bb1aee4719eec09e

SHA1
baba6f6034b69a1576f016444da489056ce7c33e

SHA256
1e31408a32de96dcac28b2b68d5909ffb112b190eafc7cdc2da044c8d31d6f13

SHA512
c9c9d4f2ac3391310ad1ff7855b0c40606a28a84eb49cb1ec8c000ba56dd20ffcac8d05e11d6901313af3fad17f06dba1d36fb946dda9a192aae20c26ae962a0

Download Submit
memory/1084-31-0x0000000005680000-0x0000000005A92000-memory.dmp

Filesize
4.1MB

Download
memory/1744-13-0x0000000002120000-0x000000000213C000-memory.dmp

Filesize
112KB

Download
memory/1744-19-0x0000000002120000-0x000000000213C000-memory.dmp

Filesize
112KB

Download
memory/1744-32-0x0000000002120000-0x000000000213C000-memory.dmp

Filesize
112KB

Download
memory/2824-21-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing