2100dcdbfa6fa033bb725e5f352433d159854743a0816a9c2fba579bb9b54c9c

General

Target

c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
Size

9.9MB
MD5

c86f241cb990115ad71bcf314f894c39
SHA1

ddbf16e3d9ccb155901ad0cdcfd5f13c534b782a
SHA256

2100dcdbfa6fa033bb725e5f352433d159854743a0816a9c2fba579bb9b54c9c
SHA512

3399169f3ef306ff156c71ef46bbf90e370b315072eab44711061ab0fc817fad65e99b38e230b2b7919e0bf32bede1e33cb435feb27ab36a01788b5058ec40f7
SSDEEP

196608:SgsBkyS1kHHD9BTsR/FKqaq/Rd+G7Iu9rt5J4SHgY4sZ/ABLGR:TD1knzTsB4qH/X7LzJ4SAguY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2068	xa259431347.exe
2332	is-1UGSG.tmp

Loads dropped DLL 7 IoCs

pid	Process
2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
2068	xa259431347.exe
2068	xa259431347.exe
2068	xa259431347.exe
2332	is-1UGSG.tmp
2332	is-1UGSG.tmp
2196	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{924FC210-3566-3FA4-A435-36485E20F3C9}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{924FC210-3566-3FA4-A435-36485E20F3C9}\IExplore = "1"	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xa259431550.exe	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wr11026.dll	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xwr11026.dll	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa259431347.exe	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa259431550.exe	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-1UGSG.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xa259431347.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\ = "ID"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\ = "ID"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{924FC210-3566-3FA4-A435-36485E20F3C9}\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\TypeLib\ = "{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{924FC210-3566-3FA4-A435-36485E20F3C9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr11026.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\ = "LIB"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE01A9F9-1FBB-3CFD-9E1A-64692F6E380D}\TypeLib\ = "{9B2D8332-1E6C-3CFD-80D5-6DF83B50E397}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{924FC210-3566-3FA4-A435-36485E20F3C9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{924FC210-3566-3FA4-A435-36485E20F3C9}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr11026.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{924FC210-3566-3FA4-A435-36485E20F3C9}	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	is-1UGSG.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2068 wrote to memory of 2332	2068	xa259431347.exe	31
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2196	2556	c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c86f241cb990115ad71bcf314f894c39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\xa259431347.exe
  "C:\Windows\system32\xa259431347.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\is-JL7U4.tmp\is-1UGSG.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JL7U4.tmp\is-1UGSG.tmp" /SL4 $500F4 "C:\Windows\SysWOW64\xa259431347.exe" 9912246 52224
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2332
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr11026.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xa259431347.exe

Filesize
9.7MB

MD5
0e6f175a3441b15e54c6237ce69d0f19

SHA1
91025259b1767189bb1c20cd3de796717cb33b2a

SHA256
aab426cdf9b1e615d64f296cd5f7ac50fa4431fcc6811016ee85b4680bf077e5

SHA512
91f5fe34afd6d7d220111408de70418ed47c735c12bd40426929166430209e2d41582f3f5ec0c99107a7595e70c03e0a2a1bb58fe900691c879ebd5888ac645d

Download Submit
\Users\Admin\AppData\Local\Temp\is-JL7U4.tmp\is-1UGSG.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
\Users\Admin\AppData\Local\Temp\is-OR9NK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Windows\SysWOW64\xwr11026.dll

Filesize
156KB

MD5
a2a5b94f59c1539cde96ef5fb9afeb51

SHA1
dc3fadddda5315959fa2dc0cc986bd9cae55d2eb

SHA256
ec4ffd9ff52457270d8133c758efc024008883c7a6851b6a0bd050ccc6671384

SHA512
ae0a8199a5350f7b6df47a2a94740e52256885fc5bcb3c70167d7087a6f1bfd16b1920b4dcd4383f9f0ce412c472fe7d3c01e2777e9c34bd3810ad9294989192

Download Submit
memory/2068-14-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2068-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2068-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2332-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing