bfcfa4045fbf1ffd93fcfc0ba90bf0529cd7de2f6a1636ac9c2f7ed006da26f8

General

Target

fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Size

17KB
MD5

fd03ce9f744f8d81e3fc934b4e0d8af1
SHA1

6c89f3e7c00ab86871f2d65da880013323626b65
SHA256

bfcfa4045fbf1ffd93fcfc0ba90bf0529cd7de2f6a1636ac9c2f7ed006da26f8
SHA512

60211399ed6af1f07838503e300f251aff511eae8ab29ca54fdcf33b2b018e035dae000b14c1116bfaf767e5a8e00fc7086afc9bceae829068ed90537fe2c22b
SSDEEP

384:wG8NpFp9xoAHj6j8P2uQc2+awGXaCUh7XaDHTjnkbXpY:B8N3XxoAHOm2uJltf1h7YHHkY

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nvctrl.exe = "nvctrl.exe"	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2696	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
2696	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}\	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ncompat.tlb	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\interf.tlb	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hp8066.tmp	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ncompat.tlb	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Search	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchUrl	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}\InprocServer32	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}\InprocServer32\ = "C:\\Windows\\SysWow64\\hp8066.tmp"	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}\InprocServer32\ThreadingModel = "Apartment"	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e}\InprocServer32	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}\ = "Nothing"	fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd03ce9f744f8d81e3fc934b4e0d8af1_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\hp8066.tmp

Filesize
53KB

MD5
e362e00abbd067dcf36bd0dd9d2a7de1

SHA1
2c903f205bf80ebddab43e2feef7cc812536fc14

SHA256
c670e62c24bf1e00658de7f0abe630356b571cd1e984e454116f908269a331bb

SHA512
68f4b2c239b52646ff7fe0705d1b9d8b3be33cda0b4dc295317cb5629028c3011a27b56ca1f4f288449bb03e7b9266ef8991246c64e6f1b84ff0d7e8ed26934c

Download Submit
\Windows\SysWOW64\interf.tlb

Filesize
7KB

MD5
d3a3ad12166520b6df5d3ea7d1583168

SHA1
a046e8263e392e1bfc6fe26042f6410ab6f10f80

SHA256
496dab6b39e9bddce04c5c0aef2150b8fab969a1ba553042526e234447d564ef

SHA512
53962afcd21bd7c871e8d5c414334c297915ac865a347bb22129bc45fb2d9ca30d00f04edfb867dd8ddcc10aba2da22d18d296e131e11d2cf173b436b46d544c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads