5b1ca330879bdeab794b21e7f957794dc4e674ec66af6bfad1bd3f925a511787

General

Target

cff1598da2f2daeaabfd252550d47e00_JaffaCakes118.dll
Size

564KB
MD5

cff1598da2f2daeaabfd252550d47e00
SHA1

34b9fd8600b9c25ad10c10eeb6034fb1a0152599
SHA256

5b1ca330879bdeab794b21e7f957794dc4e674ec66af6bfad1bd3f925a511787
SHA512

5d82fc2327fe3020c8bf105727da8c2a751f61671072cded0328239bbf7a8ff7bec7bbccb6b5fad6a28dd6203fecb2efdeba1838680ebaf7b503cd43107e1a6b
SSDEEP

12288:GXSLvDpZobdM2l3Ie3h/nb74XLpiDHkdoyx0nxkeLgsRYQyBDY07:GXSrDpZsvl3IkhvY7cDyoymkdsmBD77

Score

6^/10

adware discovery stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\VersionIndependentProgID\ = "DosSpecFolder.DosSpecFolder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cff1598da2f2daeaabfd252550d47e00_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder\CLSID\ = "{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1\CLSID\ = "{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\ = "DosSpecFolder Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\TypeLib\ = "{BAD59A24-6891-417D-A041-C8FD495B77F1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder\ = "DosSpecFolder Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\ProgID\ = "DosSpecFolder.DosSpecFolder.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder\CurVer\ = "DosSpecFolder.DosSpecFolder.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1\ = "DosSpecFolder Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3408	4192	regsvr32.exe	83
PID 4192 wrote to memory of 3408	4192	regsvr32.exe	83
PID 4192 wrote to memory of 3408	4192	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cff1598da2f2daeaabfd252550d47e00_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\cff1598da2f2daeaabfd252550d47e00_JaffaCakes118.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3408-0-0x0000000010000000-0x0000000010093000-memory.dmp

Filesize
588KB

Download
memory/3408-1-0x0000000010000000-0x0000000010093000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing