93f0890508720eeed60afd0b91e582052d7913afd45aff8e8101a3bf47f84d55

General

Target

4706f23dc7bdcf0a1932ad37895fb0ea_JaffaCakes118.dll
Size

356KB
MD5

4706f23dc7bdcf0a1932ad37895fb0ea
SHA1

6ebeea72c93043b6737e9c7b7067ed80f909e560
SHA256

93f0890508720eeed60afd0b91e582052d7913afd45aff8e8101a3bf47f84d55
SHA512

956d51408fe7699ac5176b2e09f1b2e401605989bc73d4e080a5e9179019d75bded2944d3f6b2df88445aee0fb1342dd381b9db7c7091c66ae3bb9e4c16ffced
SSDEEP

6144:MqLg6yNvK1NHbhI966AGkAjOpoaY7Hwviy5aRwDnKahkLqTk:DyNvKnH1q6xGJOpqbwK1RkeGTk

Score

6^/10

adware persistence stealer

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{fa3aec70-c7c9-ba82-0b86-67c2f23db85a} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\4706f23dc7bdcf0a1932ad37895fb0ea_JaffaCakes118.dll\" DllStart"	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}\NoExplorer = "\"\""	regsvr32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}\ = "adsonmedia browser optimizer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4706f23dc7bdcf0a1932ad37895fb0ea_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fdbd6002-14f9-4250-dd4d-5f7ef16f46a5}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4952	3212	regsvr32.exe	83
PID 3212 wrote to memory of 4952	3212	regsvr32.exe	83
PID 3212 wrote to memory of 4952	3212	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4706f23dc7bdcf0a1932ad37895fb0ea_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4706f23dc7bdcf0a1932ad37895fb0ea_JaffaCakes118.dll
  2⤵
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4952-0-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/4952-1-0x0000000001FB0000-0x000000000200A000-memory.dmp

Filesize
360KB

Download
memory/4952-11-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/4952-25-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/4952-24-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/4952-23-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/4952-22-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/4952-21-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4952-20-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4952-19-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/4952-18-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4952-17-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4952-16-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4952-15-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/4952-14-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4952-13-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/4952-12-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/4952-10-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/4952-9-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4952-8-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/4952-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4952-6-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4952-5-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4952-4-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4952-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4952-2-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads