7c53d166f8f0242c4eb078cfda8593af367b35a00717c8d51d740aa0022aa7ee

General

Target

392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Size

68KB
MD5

392cc99c6daaa2adb4b62922be28a8f1
SHA1

f273c455678a6c84db8821264a0d4119ca757914
SHA256

7c53d166f8f0242c4eb078cfda8593af367b35a00717c8d51d740aa0022aa7ee
SHA512

e53c4b7acd6e280be29d51cb9d72c69be72dd17f55a19fcb768487b90d738574539b815518b8f36bd09f05b4c9319effb261ad67bf6df8190552667d933ff90b
SSDEEP

1536:58KSZqruCGaP4gsjVTTI31YLcP38NYfN9sx+CyOPQ5e:XSuu1aP4ZTk31YLe8N6Sx+CyOV

Score

10^/10

adware evasion stealer trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\XPPoliceAntivirus\setup.dat	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\iehost.dll	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\don't load\wscui.cpl = "No"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\don't load	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\don't load\scui.cpl = "No"	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\VersionIndependentProgID\ = "WinGDIApp.WinGDI"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\InprocServer32\ = "C:\\Windows\\iehost.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI.1\ = "WinGDI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI\CurVer\ = "WinGDIApp.WinGDI.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\ = "WinGDI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI\ = "WinGDI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI\CLSID\ = "{12c7290a-157b-4f43-b109-97e792c598ed}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\TypeLib\ = "{8a10fc9b-8d76-4e95-a9be-acda2f665c30}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI.1\CLSID\ = "{12c7290a-157b-4f43-b109-97e792c598ed}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGDIApp.WinGDI\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\ProgID\ = "WinGDIApp.WinGDI.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}\InprocServer32	regsvr32.exe

Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2320	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	29
PID 1072 wrote to memory of 2700	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	30
PID 1072 wrote to memory of 2700	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	30
PID 1072 wrote to memory of 2700	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	30
PID 1072 wrote to memory of 2700	1072	392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3052	2700	net.exe	32
PID 2700 wrote to memory of 3052	2700	net.exe	32
PID 2700 wrote to memory of 3052	2700	net.exe	32
PID 2700 wrote to memory of 3052	2700	net.exe	32

C:\Users\Admin\AppData\Local\Temp\392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\392cc99c6daaa2adb4b62922be28a8f1_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Windows security modification
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Windows\iehost.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2320
- C:\Windows\SysWOW64\net.exe
  C:\Windows\system32\net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\iehost.dll

Filesize
15KB

MD5
d09ba8ce003d53d734ee42c470b4958a

SHA1
69b25869843be992d8c33f9b8e5e2a56b3a74729

SHA256
d1eac348b38bd635604dcb7d73ba3dfa725dd4f430b9e343f66b10d30a256042

SHA512
d5368f9dfa3a7a626eb0e529f066fd52780956d769d6e8db3100e7f0b11b06997a9e4bc947b5703e8b5834ed3115a82885707389e1f38a8509542b166c4294ef

Download Submit
memory/1072-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1072-0-0x0000000000403000-0x0000000000413000-memory.dmp

Filesize
64KB

Download
memory/1072-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1072-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2320-6-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2320-5-0x0000000010003000-0x0000000010006000-memory.dmp

Filesize
12KB

Download
memory/2320-8-0x0000000010003000-0x0000000010006000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads