338a3c8755bd5fefc34ec6adcc91ea9d6b3dee196a9f1bef95f54416133dabf2

General

Target

a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Size

90KB
MD5

a5dbe6f5469a33b283ec92247f605624
SHA1

254ebcc354659af4838f55a258f032f9fff123e7
SHA256

338a3c8755bd5fefc34ec6adcc91ea9d6b3dee196a9f1bef95f54416133dabf2
SHA512

fd7657d4d79dafc68d2372bd95b5c6b060bae4e906e5ba3e50a127beafaa887fdfb71fd701d013275db2fa2d578bb72c7ac6d6a2cd15749a6f33b7327991d8d0
SSDEEP

1536:+Qpy7IaDGK6FJ/fc0U3X5ItM5CSQITsEhNXf4cWmXTpD9BLsdi/o2ubNf:+z7/Db67/q3nCF8hNXwF4DLAdiN0N

Score

10^/10

adware defense_evasion discovery persistence stealer upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy = "{66186F05-BBBB-4a39-864F-72D84615C679}"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}\ = "Systray component"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}\Locale = "EN"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}\StubPath = "rundll32 sockins32.dll,InitModule"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}\IsInstalled = "1"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}\Version = "1,0,0,2"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023455-9.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2340	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023455-9.dat	upx
behavioral2/memory/2340-11-0x0000000010000000-0x0000000010019000-memory.dmp	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sockins32.dll	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sft.res	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\index.html	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\InProcServer32	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\ProgID	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\TypeLib\ = "{0AB9CC99-BBBB-40cb-A718-9A2AF9026DFD}"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32\ThreadingModel = "Apartment"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\ = "WebProxy"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\ = "Microsoft copyright"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\TypeLib	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\InProcServer32\ = "sockins32.dll"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\InProcServer32\ThreadingModel = "Apartment"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32\ = "sockins32.dll"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\ProgID\ = "MS"	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 2340	60	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe	87
PID 60 wrote to memory of 2340	60	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe	87
PID 60 wrote to memory of 2340	60	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe	87
PID 60 wrote to memory of 712	60	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe	88
PID 60 wrote to memory of 712	60	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe	88
PID 60 wrote to memory of 712	60	a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5dbe6f5469a33b283ec92247f605624_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s sockins32.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A5DBE6~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sockins32.dll

Filesize
32KB

MD5
849c8247a5673359bfae683e106e277b

SHA1
43223dde862cf340348f8048afd024385a53f2d6

SHA256
788a88f8e04c8ca10520567a175617c20b4122cff6ade36a88eb85cce49f0683

SHA512
580798ab3956d5bae35f883e4207ea26c877bcd6ebb0389dd2b67827fd1304f8ddb53a1153e3939ad3d00fb971a436712751c6bea1c2a4fc7ed3c8c8a51dce98

Download Submit
memory/60-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/60-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/60-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/60-2-0x0000000000405000-0x000000000041A000-memory.dmp

Filesize
84KB

Download
memory/60-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/60-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-11-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads