15299caa1b5415ff77b186682574625dd896aec4daa0c543c737e38bfb05845f

General

Target

bb9d3ef069c75230d05690832ec36896_JaffaCakes118.dll
Size

875KB
MD5

bb9d3ef069c75230d05690832ec36896
SHA1

a30948d8eaf546919e752de5790e08c60588dc9c
SHA256

15299caa1b5415ff77b186682574625dd896aec4daa0c543c737e38bfb05845f
SHA512

0e6ac6b8d59245e740e09fe6028061ffcf6c14f8df82ce6d575fb6e1d4b4043a9c6182a07a4de68e358bc0f77a7f05a55f10dbd9d08c74b99e9b4b92fdbba1a5
SSDEEP

12288:JtQtKwHeZOFwqhs8Zvr4bBJ8ser/57mT/VCjV3O:DQtKDUwf8ZvrmJjeTkTYs

Score

7^/10

adware persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331113}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331113}\ = "CrossriderApp0063313"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331113}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611331113}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\VersionIndependentProgID\ = "CrossriderApp0063313"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550655335513}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550655335513}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO\CLSID\ = "{11111111-1111-1111-1111-110611331113}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660666336613}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660666336613}\TypeLib\ = "{44444444-4444-4444-4444-440644334413}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox\CurVer\ = "CrossriderApp0063313.Sandbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\TypeLib\ = "{44444444-4444-4444-4444-440644334413}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550655335513}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550655335513}\ = "ICrossriderBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550655335513}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660666336613}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110611331113}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\VersionIndependentProgID\ = "CrossriderApp0063313.Sandbox"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550655335513}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220622332213}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0\ = "CrossriderApp0063313 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb9d3ef069c75230d05690832ec36896_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550655335513}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb9d3ef069c75230d05690832ec36896_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550655335513}\TypeLib\ = "{44444444-4444-4444-4444-440644334413}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox.1\ = "CrossriderApp0063313.Sandbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660666336613}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\ = "TheGoPhoto.it V10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660666336613}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\ProgID\ = "CrossriderApp0063313.BHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220622332213}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660666336613}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622332213}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550655335513}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660666336613}\ = "ISandBox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.Sandbox.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110611331113}\TypeLib\ = "{44444444-4444-4444-4444-440644334413}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644334413}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550655335513}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660666336613}\TypeLib\ = "{44444444-4444-4444-4444-440644334413}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0063313.BHO.1\ = "CrossriderApp0063313"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb9d3ef069c75230d05690832ec36896_JaffaCakes118.dll
1⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4076