519f332bc025d9f58302457b694d03d6554c2cd61b57b361c8735a8e47796be9

General

Target

37ad38f7c434aca01c0cd3bd437fe1f4_JaffaCakes118.dll
Size

56KB
MD5

37ad38f7c434aca01c0cd3bd437fe1f4
SHA1

a2cc67ecb7064a2492a9ff322fadb89ab3fffd3e
SHA256

519f332bc025d9f58302457b694d03d6554c2cd61b57b361c8735a8e47796be9
SHA512

4962760345cb0f7bf073460be71246e95ffdf6bb34dc655284c5d3a0b35c96ecf3d04d49c42e3b1be3d3dd082027991373dc9ace99eb90904e135fed579b0739
SSDEEP

768:+qby8SiRvrAlHippvnSXwXOhecrCBnMsvjZUViZmD9n0C9EVy9h2gj+S3X:7S8AdippvnS37CV+Zb39X6O

Score

6^/10

adware discovery stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7BA4C38C-6BE5-4F3C-980B-CEB48A777413}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BA4C38C-6BE5-4F3C-980B-CEB48A777413}	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}\DisplayName = "°Ù¶È"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6C08444C-B736-4C01-99A8-4CC9E59A9BC9}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}\URL = "http://www.baidu.com/s?tn=leizhen_dg&ie=utf-8&wd={searchTerms}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6C08444C-B736-4C01-99A8-4CC9E59A9BC9}\DisplayName = "Google"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6C08444C-B736-4C01-99A8-4CC9E59A9BC9}\URL = "http://www.gggdu.com/google?q={searchTerms}"	regsvr32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BA4C38C-6BE5-4F3C-980B-CEB48A777413}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BA4C38C-6BE5-4F3C-980B-CEB48A777413}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37ad38f7c434aca01c0cd3bd437fe1f4_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BA4C38C-6BE5-4F3C-980B-CEB48A777413}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell\OpenHomePage	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell\OpenHomePage\Command	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31
PID 2272 wrote to memory of 1172	2272	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\37ad38f7c434aca01c0cd3bd437fe1f4_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\37ad38f7c434aca01c0cd3bd437fe1f4_JaffaCakes118.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1172