cc447c1468d6ceab348ff7d5b1c38749d85455b74820ff892f4c0575d6ae16a3

General

Target

189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Size

2.0MB
MD5

189b23c28725bffbb2cf1c047918914d
SHA1

89bd409a76a892c404c3cb6961bef9763da34d02
SHA256

cc447c1468d6ceab348ff7d5b1c38749d85455b74820ff892f4c0575d6ae16a3
SHA512

408817019ee634a14daa74eaf21ce94ccfbe5cf7f97c1b1075aea4c6ee3603fb6bb4c1b741aefdba77d409a674ef98682246b96851879e93da4abf1b41e705af
SSDEEP

3072:QUXUBCQBePBY37DOkY3ABh8Nj4NNka/kF:QzBCQBeZYL2ABOm

Score

8^/10

adware persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\moninftapi.exe"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c00630070006c007000640062006e00650074002e006500780065000000	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\moninftapi.exe"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\idsrvpc.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvpdbpc.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fwwmsys.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wdmudfnet.ocx	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmlibnet.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwwmsys.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wdmudfnet.ocx	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\idsrvpc.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cplpdbnet.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srvpdbpc.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cplpdbnet.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\moninftapi.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\moninftapi.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmlibnet.exe	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\wdmudfnet.ocx"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2432	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\189b23c28725bffbb2cf1c047918914d_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

4

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cplpdbnet.exe

Filesize
2.0MB

MD5
c51877d0f4f06bf0a920c745983a9049

SHA1
f5ab59c38c3392f856eae7063a0d63ef5e840fb9

SHA256
69754ef37c8e01f451a9d2b19b6657c150bb7f036a40b98029942451423b5c85

SHA512
64ccc36b5b2613c035ec155b2594420ede1cbac1017228fd1919ebb6d838ac7535951e991bc6f2e358359909e22bd9c561c75dde0ac9e29f35f0546983e23296

Download Submit
C:\Windows\SysWOW64\wdmudfnet.ocx

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
memory/2432-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2432-22-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads