3da10dcaea107e534e5f157892f292c686d9bef1883078b300a60c0db50fe8dc

General

Target

df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Size

346KB
MD5

df6b7a1de4efb060f5d968c06227eec9
SHA1

ddca8d54bef15e03fbb36e002261f1ec92b4c863
SHA256

3da10dcaea107e534e5f157892f292c686d9bef1883078b300a60c0db50fe8dc
SHA512

b4a6850f1e7fa2f3155db394b3edf6ba4d80db4edcffc981f1026b49a3dba9370f3714e271a38c4edc5bc0febf9eded745c2bf0a459a2815fd3c38a24550cdff
SSDEEP

6144:BkpVitWt7JLIL8zJVrgyyAEwYIB3tZDt2hm/0uGwnUNaaybBRmwlJjPTxyk:S9USJ1yAEiBXtPvUN1y9RmOyk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3524	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
3524	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{062D8468-C491-4324-94FE-44C49F37BB33}	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{062D8468-C491-4324-94FE-44C49F37BB33}\NoExplorer = "1"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STCTRWatcher.STCTRWatcher	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STCTRWatcher.STCTRWatcher\ = "Õ¾µãÍ³¼Æ"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STCTRWatcher.STCTRWatcher\Clsid	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STCTRWatcher.STCTRWatcher\Clsid\ = "{062D8468-C491-4324-94FE-44C49F37BB33}"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}\ProgID\ = "STCTRWatcher.STCTRWatcher"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}\ = "Õ¾µãÍ³¼Æ"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}\InprocServer32\ThreadingModel = "Apartment"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}\InprocServer32	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\STCTRWatcher.dll"	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{062D8468-C491-4324-94FE-44C49F37BB33}\ProgID	df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df6b7a1de4efb060f5d968c06227eec9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STCTRWatcher.dll

Filesize
189KB

MD5
ca6894f30dd78f9e30aef05b9f43023b

SHA1
320fbc89b2bb20062861c30a359e630f49a7bb38

SHA256
605dba04e046c57accdafd288c18a29a9a864ee899e8f944a5c2558021793842

SHA512
c459bd4a0d967b64d1c911becf72f250b7427202a2ceb97fadc784b00c8bcd62edb49992bd01c67116cff378047321a9ece84286a9d04978ac90109e5813a02b

Download Submit
memory/3524-2-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3524-13-0x00000000021F0000-0x00000000021F3000-memory.dmp

Filesize
12KB

Download
memory/3524-10-0x0000000002460000-0x0000000002463000-memory.dmp

Filesize
12KB

Download
memory/3524-9-0x0000000002280000-0x0000000002301000-memory.dmp

Filesize
516KB

Download
memory/3524-11-0x0000000002280000-0x0000000002301000-memory.dmp

Filesize
516KB

Download
memory/3524-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3524-1-0x00000000021F0000-0x00000000021F3000-memory.dmp

Filesize
12KB

Download
memory/3524-12-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3524-14-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3524-15-0x0000000002460000-0x0000000002463000-memory.dmp

Filesize
12KB

Download
memory/3524-16-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3524-23-0x0000000002280000-0x0000000002301000-memory.dmp

Filesize
516KB

Download
memory/3524-24-0x0000000002280000-0x0000000002301000-memory.dmp

Filesize
516KB

Download
memory/3524-28-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing