cabae28652ec4ff34f5edf012496be16511ecef87a7f70f139f03bf456a4b76c

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe
Size

25KB
MD5

e96b716d8211744daf8626838b9e190f
SHA1

da5e98c9362e73f08236a3ff03c94c78e3d5210f
SHA256

cabae28652ec4ff34f5edf012496be16511ecef87a7f70f139f03bf456a4b76c
SHA512

00295152c93f701fdf1738264db27da8e725519aa7313d79360aa059176c6e4445c1528962d0ac0209137f632f570742d1459e928718683f06eb633e29a6725f
SSDEEP

768:hAjP2Kill341cpOIqBv+mh5pHFICMYDg1WyvXu6:hAjP2K4o1cqBvjJzMuyWyv

Score

7^/10

adware persistence stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	regsvr32.exe
1244	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2376-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2376-5-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MShelp = "RUNDLL32.EXE C:\\Windows\\system32\\BhoPlugin.dll,Install"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE614961-679D-4B07-9574-3DC31751845F}	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240650593	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\ = "IEHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\VersionIndependentProgID\ = "BhoPlugin.IEHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\TypeLib\ = "{B3799B15-BBA9-4471-8021-8FFF6E8D3372}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ = "IIEHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\InprocServer32\ = "C:\\Windows\\SysWow64\\BhoPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\ = "{B3799B15-BBA9-4471-8021-8FFF6E8D3372}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\ = "IEHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CLSID\ = "{EE614961-679D-4B07-9574-3DC31751845F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ = "IIEHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\ = "{B3799B15-BBA9-4471-8021-8FFF6E8D3372}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1\ = "IEHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CurVer\ = "BhoPlugin.IEHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\ProgID\ = "BhoPlugin.IEHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\ = "BhoPlugin 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE614961-679D-4B07-9574-3DC31751845F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\BhoPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.IEHelper.1\CLSID\ = "{EE614961-679D-4B07-9574-3DC31751845F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3799B15-BBA9-4471-8021-8FFF6E8D3372}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87935B2A-942E-49F5-BFDE-985FA1C5991E}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1244	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	95
PID 2376 wrote to memory of 1244	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	95
PID 2376 wrote to memory of 1244	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	95
PID 2376 wrote to memory of 2528	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	96
PID 2376 wrote to memory of 2528	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	96
PID 2376 wrote to memory of 2528	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	96
PID 2376 wrote to memory of 2888	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	97
PID 2376 wrote to memory of 2888	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	97
PID 2376 wrote to memory of 2888	2376	e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e96b716d8211744daf8626838b9e190f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\BhoPlugin.dll,Install
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\BhoPlugin.dll /s
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240655140.bat
  2⤵
  PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240655140.bat

Filesize
226B

MD5
65da4149f1700999708ba3241575b77d

SHA1
7e1b2c651b7b4a8e44a179487f70f78213988250

SHA256
82eaf35dcef017a273e660ce175985a8ba6d13c8d39aa6784c56fdf8af495ee9

SHA512
f876c7c8304faaa04618e44f0f1cd0d7fe3b9e8b4918ab1361d44bc38d54ef637b0dfaff586f857836e9a831d8dcf52724ba1724db78fa1e1cb54993775f2b63

Download Submit
C:\Windows\SysWOW64\BhoPlugin.dll

Filesize
60KB

MD5
44a7174c200fc03cc13e275810e5ab51

SHA1
98c3832d478bf3c55d4d4c7f47c779a56e55309b

SHA256
19b962cac5a42bf81ecc45b878d8a2b2490cdf051e107f378e87049ff3e7b69f

SHA512
03f62300435f4498637382e480b6aa09db13a1e03d729b034cbfcbbbe9c7fafbb82706cf4e32890d3d8e0fa9367ae89da7da3251e0102879bd3de05f5078e1bb

Download Submit
memory/2376-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2376-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads