a1e79973551133833f062e6ec2ba8a48b9ebe1fc2383d20e5b3943758169b254

General

Target

078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Size

989KB
MD5

078f6c4adcea80cd47412fc3ed066c0b
SHA1

d01483c81ca96fc29026d944b19c6e2aa18eb9a4
SHA256

a1e79973551133833f062e6ec2ba8a48b9ebe1fc2383d20e5b3943758169b254
SHA512

a1ed26b83efe81b9b7b47bf545b69213ae4f6fcdd9a0245fc5aabbf15118d69592e4fdea56d72fb0f0d78794624a00998032167b6bf8c564a6a1567c67a322c0
SSDEEP

24576:8JKHP49941fK2hM5ls1iYgBrSGIQm+aOQ+8ampnNZgIe0Gs637TxRtId:8Uw+fKVlDpc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1080	regsvr32.exe
2056	WerFault.exe
2056	WerFault.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\taobao.ico	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Hotspot Shield\HssIE\HssIE.dll	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\newicon.ico	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
File opened for modification	C:\Windows\newicon.ico	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	1080	WerFault.exe	28

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\ÊôÐÔ(&D)	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ = "HotspotShieldÄ£¿é"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\ = "HotspotShieldÄ£¿é"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ProgID\ = "HssIE.HotspotShieldÄ£¿é"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\DefaultIcon\ = "C:\\Windows\\newicon.ico"	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\Open(&O)	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\Open(&O)\Command	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\ = "Internet Explorer"	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\Clsid\ = "{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\ShellFolder	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.wz1122.com"	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\Shell\ÊôÐÔ(&D)\Command	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\InprocServer32\ = "C:\\PROGRA~1\\HOTSPO~1\\HssIE\\HssIE.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143E0647-83CB-48D2-A625-C6ACF3F2D1DB}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\DefaultIcon	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D4B9DF8-712F-4020-85DD-CCE7E16A3BFE}\ShellFolder\Attributes = "10"	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1080	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	28
PID 1080 wrote to memory of 2056	1080	regsvr32.exe	29
PID 1080 wrote to memory of 2056	1080	regsvr32.exe	29
PID 1080 wrote to memory of 2056	1080	regsvr32.exe	29
PID 1080 wrote to memory of 2056	1080	regsvr32.exe	29
PID 2300 wrote to memory of 2224	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	33
PID 2300 wrote to memory of 2224	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	33
PID 2300 wrote to memory of 2224	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	33
PID 2300 wrote to memory of 2224	2300	078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\078f6c4adcea80cd47412fc3ed066c0b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Program Files\Hotspot Shield\HssIE\HssIE.dll" -s
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 304
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\qpg.bat
  2⤵
  - Deletes itself
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Hotspot Shield\HssIE\HssIE.dll

Filesize
511KB

MD5
17e8f6bd91e2adcd7e8015015fcd54b6

SHA1
d1b1bfd4cd9aad0388efbff1aa16cb1111b9b451

SHA256
8f98c68c1ffce60d3a5ab1dc50114777df63b455b5dc12b289a4fa1c47400142

SHA512
1b1923b0392e307a9884e41b1f1c41362e4ecb33243f3db2929495356c752e8faf7437ada692c23a63465601bfb3882af65dd067b4bce3cfab19d095b3692e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpg.bat

Filesize
212B

MD5
60f889ffb438fa9ad4eba1a8862dce56

SHA1
8c408132bbeb6fcc8c2f504c1548360ed230d242

SHA256
97c7a5f6d6e5ad2dde6fbaf6c47a1f433bb1cc5fb9e25cf712594c7d9f89b917

SHA512
228db42a90e1fae0767778b2a7fd9679bf37572665e2f6458dedefb94320c9d8adb6055ef2001f3a03dc1e7cdca0b87a1f27d4bc945d200e5904f6248dd83df3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Filesize
1KB

MD5
5ac69fb2967724296bcfe6b639b13cfe

SHA1
ff4ff693759eeac29482c1780464f1cf043d63a7

SHA256
cac42d6e9d84af2265e007583ab2ecde9f3b045d750b0a645ce4c07326bdfad7

SHA512
aa5e455ecef6b45851b1bb26c2d96d7bafa977a154e8f2ee1e24dcab940f0ed8647adfaa6154c0ad30efdc84ca93e585808226d73a9aca42aefbbebfc5de3488

Download Submit
memory/1080-4-0x0000000000420000-0x00000000004A5000-memory.dmp

Filesize
532KB

Download
memory/1080-9-0x0000000000420000-0x00000000004A5000-memory.dmp

Filesize
532KB

Download
memory/2300-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2300-7-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2300-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2300-49-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing