f05fec07941e9c9b29ac7cb452c3d4e9a4508464ff72c0ff5e46ec0c5792544f

General

Target

75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Size

128KB
MD5

75c9c7c89f3b56fcb5e73229a00e8b4d
SHA1

ea1486902ee3f27a3ccd6de72d455ebc22029747
SHA256

f05fec07941e9c9b29ac7cb452c3d4e9a4508464ff72c0ff5e46ec0c5792544f
SHA512

f8994bc564ac190294ad37633814b4814ecefc631d8882e42eca780510ab6ea6aa8ca4194a9c3d3207fd72bb9d85c4e2bc1b83e62ed1d80bf40a1b5c729129ef
SSDEEP

3072:kO1HUKNu8Q9fVtaNYLTC+U+FS0Y7AeXIDoquhuiDHkc6:b1HUKp6faqx/s0dVcquMiDkc6

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000016d58-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2172	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000016d58-1.dat	upx
behavioral1/memory/2172-329-0x0000000010000000-0x000000001004F000-memory.dmp	upx
behavioral1/memory/2172-17820-0x0000000010000000-0x000000001004F000-memory.dmp	upx
behavioral1/memory/2172-32493-0x0000000010000000-0x000000001004F000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxml71.dll	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll"	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2172	75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75c9c7c89f3b56fcb5e73229a00e8b4d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msxml71.dll

Filesize
102KB

MD5
2fd49fdcb7f9a4477c0edabe44deab4e

SHA1
f72771dbf27ce336f2d359b33e08f0b0263bf48d

SHA256
fa5effedb1b2696dc52510c75941861d89c18c4c3e1371dee162643811f54209

SHA512
9ea72a70946b5e15044beb66c4d9ff659527dd00b0f7d6e2091fe18a358540bac6ecfa14e906d77d7d848d0bad849528086b41ad19843f6b10f8a3fb15073f71

Download Submit
memory/2172-329-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/2172-17820-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/2172-32493-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing