1c0ea41a70781315440312506580579d6cec23288406d54adfc9fe12d4980ddb

General

Target

b66d9603d3359ccb1aabc9f5779b0553_JaffaCakes118.dll
Size

216KB
MD5

b66d9603d3359ccb1aabc9f5779b0553
SHA1

d0e24bdd8ef3da5fc82540f11a983de2f921f1d4
SHA256

1c0ea41a70781315440312506580579d6cec23288406d54adfc9fe12d4980ddb
SHA512

44bce501e229c0eb863f185dc60f30315e353fad1fe3c7ad39e47cde02f05ee6710e04a220012e77a33d886b1ca0c34e1f27f8d33ca53210384ce16906687e53
SSDEEP

6144:HCaFa8yclQhILyrBNDgb4+tAwB1xpxl0bWn1CGnjjiQzefT:iaFdWrorjPiL

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2504	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\2046\inf2046.dat	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Registration\DigitalProductSubId = 12520000c43d00008e4b0000c3120000db0100001c630000ac7d00003455000075fe0700	regsvr32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\ = "Java(tm) Plug-In 2 SSV Helper"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\MiscStatus\ = "8999"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\MiscStatus\cp = "¸°ÓÏâèßëôñ]u\|wykt;;f=<ADky\x7fxEDILE\|zŽ"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\MiscStatus\ID = "11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b66d9603d3359ccb1aabc9f5779b0553_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631C3DC4-5212-12C3-5534-4B8E7DAC01DB}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2636	2040	regsvr32.exe	30
PID 2636 wrote to memory of 2504	2636	regsvr32.exe	31
PID 2636 wrote to memory of 2504	2636	regsvr32.exe	31
PID 2636 wrote to memory of 2504	2636	regsvr32.exe	31
PID 2636 wrote to memory of 2504	2636	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b66d9603d3359ccb1aabc9f5779b0553_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b66d9603d3359ccb1aabc9f5779b0553_JaffaCakes118.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\system32\icacls.exe C:\Windows\system32\2046 /setintegritylevel (OI)(CI)low /T /C
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\2046\inf2046.dat

Filesize
3KB

MD5
be44fd509bba5430856b1753101d99b9

SHA1
824390da57f548f4af6b1d9972d5b077c85a302b

SHA256
1bb32124f740af140b436534dc33b00602025c5f0fbd08bd9876f4dc4b6da261

SHA512
873b5cf17203d37992d75fdb1a2a6476a291e05646a8eceb90c6566d7ea452b374ebef07a6435e6cdbf0b487ec85b469f98a35c1d500be4a422308a170f0b227

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads