9c6c9c67dfee6ff911e04ee572a43fd2831fde8e52243581c08d639b8dabbe2c

General

Target

2f4bcbf1232315da7e72b8c79066132b_JaffaCakes118.dll
Size

15KB
MD5

2f4bcbf1232315da7e72b8c79066132b
SHA1

96f88633e52ee82c482ad3368361df27eb4b316b
SHA256

9c6c9c67dfee6ff911e04ee572a43fd2831fde8e52243581c08d639b8dabbe2c
SHA512

4269e13515d075adad2d6b5f17e08e7d7d31525704dfa17521533b3cbae1bde9853aab014a11da79b22959a9cefba6933b4f2e8bee94b6c93e7f4616ca617405
SSDEEP

384:FK0QmUQwS18PiEPlwFZ1IpjHRc8uswaQtApNk3cO:fUplhGsunyc3cO

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msindeo.dll = "{7ACB5731-5839-13AB-EABC-124791194525}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2464	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ACB5731-5839-13AB-EABC-124791194525}	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msindeo.dll	rundll32.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\InprocServer32\ = "C:\\Windows\\SysWow64\\msindeo.dll"	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\ntdx0002 = 8112031456ada06d4df66f28c66574fbda5b120d8b7ab9d847e583c25fefb6b4bb6f77af6493b1e1bfb471	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\grxa0002 = 8112031456ada06d4df66f28c66574fbda5b120d8b7ab9d847e583c25fefb6b4bb6f779fcc73b1e1bfb471	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\dswz0001 = 8112031456ada0fdadf63f90fedd6c92a233cab583b2f32edfbf12eaef4017e38b2415bf8b8511	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\feal = 10e30c8decd1da01	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\htsc0002 = 8112031456ada06d4df66f28c66574fbda5b120d8b7ab9d847e583c25fefb6b4bb6f7f47241bb1e1bfb479	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\rtex0001 = 8112031456ada0652d3e3fb87e05fcf332c3cac5abecb1a07f4d82813d9005dc79	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\dswz0002 = 8112031456ada06d4df66f28c66574fbda5b120d8b7ab9d847e583c25fefb6b4bb6f579fcc93b1e1bfb451	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\gecs0002 = 8112031456ada06d4df66f28c66574fbda5b120d8b7ab9d847e583c25fefb6b4bb6f379f3c7943f1bf89	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\notify = 8112031456ada0fdadf63f90fedd6c92a233cab583b2f32edfbf12eaef4077d3bbcae7af8bc0	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\htsc0001 = 8112031456ada0fdadf63f90fedd6c92a233cab583b2f32edfbf12eaef403f3b63ac15bf8b8539	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\grxa0001 = 8112031456ada0fdadf63f90fedd6c92a233cab583b2f32edfbf12eaef4037e38bc415bf8b8531	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\InprocServer32	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\gecs0001 = 8112031456ada0fdadf63f90fedd6c92a233cab583b2f32edfbf12eaef4077e37bcae7af8bc0	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ACB5731-5839-13AB-EABC-124791194525}\ntdx0001 = 8112031456ada0fdadf63f90fedd6c92a233cab583b2f32edfbf12eaef4037d3232415bf8b8531	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2464	2160	rundll32.exe	84
PID 2160 wrote to memory of 2464	2160	rundll32.exe	84
PID 2160 wrote to memory of 2464	2160	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f4bcbf1232315da7e72b8c79066132b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f4bcbf1232315da7e72b8c79066132b_JaffaCakes118.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Deletes itself
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2464-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2464-1-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download
memory/2464-3-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads