04e8be80c1fd148ea5dcf454d447b7d33cd7828381ffb9ed0d7bd97ae73d8160

General

Target

8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe
Size

1.0MB
MD5

8a658d49284856af54ef1f02a2af1a2c
SHA1

3cad1360759d4485d34e55fdc7560350f8524acf
SHA256

04e8be80c1fd148ea5dcf454d447b7d33cd7828381ffb9ed0d7bd97ae73d8160
SHA512

dadaec9a051226d1a0d65c0ce4eb7cec4f6ec0c0abeb721056382265f5ed3daddeaacea1e7f5a9e46307a97c72c56c583f2c42e8d15aac07e10fd71e7a8f196f
SSDEEP

12288:4jTpxThOSynbdJQ9Gl4ndMJ8JR/EEoCwx0bBzSfqzpSwyovU59nP3V7p1:4hhh4zD+dbRJoCwabRMZNVPv1

Score

10^/10

adware discovery stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.grooveshark.com/

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1240	gahEDAC.tmp

Loads dropped DLL 1 IoCs

pid	Process
1568	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\ = "Tango"	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\e678.dll	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gahEDAC.tmp

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}\URL = "http://www.tangosearch.com/?q={searchTerms}&a=SEARCH"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}\DisplayName = "Search"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{09EDEA8E-09E7-48DA-9504-B1800B862BF1} = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}\URL = "http://www.tangosearch.com/?q={searchTerms}&a=SEARCH"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Bar = "http://www.tangosearch.com/?useie5=1&q="	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = "0"	gahEDAC.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://www.tangosearch.com/?useie5=1&q="	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = "0"	gahEDAC.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}\Codepage = "65001"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}\DisplayName = "Search"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{10DD1DC0-63E4-4106-AE72-D46B13D7A9F5}\Codepage = "65001"	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://home.tangotoolbar.com/"	regsvr32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\Properties\BuildName = "877779"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\Properties\Ticket = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\Properties\Version = "78"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\TypeLib\ = "{19C6C6A6-7BC6-4CFB-824A-03AEC4948712}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\TypeLib\ = "{19C6C6A6-7BC6-4CFB-824A-03AEC4948712}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\InprocServer32\ = "C:\\Windows\\SysWow64\\e678.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\ = "Tango"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\InprocServer32\ = "C:\\Windows\\SysWow64\\e678.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}\Properties	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\ = "Tango"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8F-09E7-48DA-9504-B1800B862BF1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09EDEA8E-09E7-48DA-9504-B1800B862BF1}	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe
1240	gahEDAC.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3076	436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe	83
PID 436 wrote to memory of 3076	436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe	83
PID 436 wrote to memory of 3076	436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe	83
PID 436 wrote to memory of 1568	436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe	84
PID 436 wrote to memory of 1568	436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe	84
PID 436 wrote to memory of 1568	436	8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe	84
PID 1568 wrote to memory of 1240	1568	regsvr32.exe	96
PID 1568 wrote to memory of 1240	1568	regsvr32.exe	96
PID 1568 wrote to memory of 1240	1568	regsvr32.exe	96

C:\Users\Admin\AppData\Local\Temp\8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a658d49284856af54ef1f02a2af1a2c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\SysWOW64\mshta.exe
  mshta.exe http://www.grooveshark.com/
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3076
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\e678.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\gahEDAC.tmp
    C:\Users\Admin\AppData\Local\Temp\gahEDAC.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gahEDAC.tmp

Filesize
188KB

MD5
2c1a46dcf80cb07958dd42306275a45a

SHA1
7e36d0956022829778ce1d2e7811d6be40651675

SHA256
2449e4d0eb3449658f6c9d32d1901a616d9a3eff609d7a3e3ec7927393f272ef

SHA512
7c197770ccff5b3bdaaa522ce0cb01c764f1d25110930e7de1db0dd1ce78fb29e5d32bb925ca88eeb36146ece42b441513ce7b81dd7d6b43fd89cc999cf60bbe

Download Submit
C:\Windows\SysWOW64\e678.dll

Filesize
880KB

MD5
133085a33b628b44542e6700a2eee617

SHA1
8e61bdefd7ddc8cfd8e5a2f92468465182489903

SHA256
8a792e458a4e296edfd370aad4bb8a33395eb5c69312658de690f589bb6a1fce

SHA512
a3e6bcae7f7122c8332c19461e01a7c5a8f92220e0cdb0ef8d6cbbb474b835257cb0e5b8be7dd27a3641774a6ec8ad9b5dadf83ba96ec0f059c9e89f812eb92a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads