4e10e1a68c20201a247a175931a227cb98c3fecab70675e714e633c00a41b723

General

Target

39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Size

128KB
MD5

39213c69a49421ce6810ee08d6e8a6e9
SHA1

85855d8371e8e4b3deb73cccda47f13ccd9422b5
SHA256

4e10e1a68c20201a247a175931a227cb98c3fecab70675e714e633c00a41b723
SHA512

b3c5693adabb984cc488589607d01dcb2426be669a713f5722a1f29dcd90dec734d602a888e1a562ad977d06a36391d6a16fd5a0d06e55e5fa73e79f1f5599e3
SSDEEP

3072:hH68hrkpV8ivL8hxja0oeFYQ8cuSXIg8e+3LS/04rV9kXJYUg:B68hJPY0oeF4NSXr/jnB

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023461-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
3616	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023461-1.dat	upx
behavioral2/memory/3616-4-0x0000000010000000-0x000000001004F000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxml71.dll	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library"	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3616	39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39213c69a49421ce6810ee08d6e8a6e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msxml71.dll

Filesize
103KB

MD5
e7b7d25d5580d537be6dc861ec70f979

SHA1
c44a1e379766604a87afd58717f0e7556c978f3b

SHA256
5c574cc66f09fec91346975238c9cd63afd37fc00f6bdd41db55c65275f3412c

SHA512
2798ca0f217537ebed81adc3c6cc6d28bdd54670092667b0917146ba35e2d9e7292faeecf38e817d97ffb7a844081b4960852000f89bb04ba94cc6192aa782f8

Download Submit
memory/3616-4-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing