Malware Analysis Report

2025-01-18 21:48

Sample ID 240414-2l82jaad9x
Target efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118
SHA256 2495916062a4b562e4a6285f5c42d8bc60a9f24e075aac49bd5ac0878d2d10d3
Tags
aspackv2 adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2495916062a4b562e4a6285f5c42d8bc60a9f24e075aac49bd5ac0878d2d10d3

Threat Level: Shows suspicious behavior

The file efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 adware stealer

Deletes itself

ASPack v2.12-2.42

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 22:41

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 22:41

Reported

2024-04-14 22:43

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wbem\zjexvmvnb.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\56a3fcf460.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dnabeser.dat C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\56a3fcf460.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wbem\2340\svchost.exe C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\2340\svchost.exe C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wbem\zjexvmvnb.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zjexvmvnb.QQBExpTool\Clsid\ = "{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 52003100000000005458d165100057696e646f7773003c0008000400efbeee3a851a5458d1652a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\ProgID\ = "zjexvmvnb.QQBExpTool" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\ = "Explor.Tool" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zjexvmvnb.QQBExpTool C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zjexvmvnb.QQBExpTool\ = "Explor.Tool" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zjexvmvnb.QQBExpTool\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4a003100000000008e582cb510007762656d0000360008000400efbeee3a881a8e582cb52a000000690e00000000010000000000000000000000000000007700620065006d00000014000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\InprocServer32\ = "C:\\Windows\\SysWow64\\wbem\\zjexvmvnb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 56003100000000008e582cb5100053797374656d333200003e0008000400efbeee3a861a8e582cb52a00000027090000000001000000000000000000000000000000530079007300740065006d0033003200000018000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4a003100000000008e582cb51000323334300000360008000400efbe8e582cb58e582cb52a0000002e34010000000d0000000000000000000000000000003200330034003000000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2184 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2184 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2184 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 2184 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 2184 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 2184 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 2184 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2184 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Windows\system32\wbem\2340" /t /e /g everyone:f

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Windows\system32\wbem\zjexvmvnb.dll

C:\Windows\SysWOW64\EXPLORER.EXE

EXPLORER.EXE /e,C:\Windows\system32\wbem\2340\

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$306609.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp.hjob123.com udp
CN 182.61.201.92:31890 udp.hjob123.com udp
CN 182.61.201.92:31890 udp.hjob123.com udp

Files

memory/2184-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\SysWOW64\wbem\zjexvmvnb.dll

MD5 2b03da7fdb94c5922ef7b3c71cfef71b
SHA1 65a0f25224e5686b5f2f8c29a2f296da3418365a
SHA256 88b4f3f76a8897f934e987bddc07f648856954d5fa1df20c2fee1f950831aee8
SHA512 5f1210acffeecf481f60938c0b79c397af2374763d794d2ac7f273345a488d21eaa3c3fbec0789dbba3a7463258a6b95ddf1fd2ad70a269dd9b4bb29bac37204

memory/2604-8-0x0000000003A80000-0x0000000003A81000-memory.dmp

memory/2604-7-0x0000000003A90000-0x0000000003AA0000-memory.dmp

memory/1136-9-0x0000000002D60000-0x0000000002D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$306609.bat

MD5 e15adfdbce83ca0ea384e0ca9aa2b2d5
SHA1 c44824735d3ceb94dc5d3394139e10309841d96b
SHA256 ab98168a47e7e762f5c6aa20239a55117f8563dc434c4c9530b2befd59059f19
SHA512 d5a6c87464eab7372ba0e72267d271d45b1a08e1ed61ebc8230052329323069b0175a0a260ec59573fcb60fe6549658d82649285d84ec15b4571db9c6b095643

memory/2184-30-0x0000000000400000-0x00000000004F9000-memory.dmp

memory/2604-32-0x0000000003A80000-0x0000000003A81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 22:41

Reported

2024-04-14 22:43

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\36a550d6bd.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wbem\0944\svchost.exe C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\0944\svchost.exe C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wbem\cjnfetvnb.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\cjnfetvnb.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\36a550d6bd.dll C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dnabeser.dat C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a003100000000008e582eb5100053797374656d33320000420009000400efbe874f77488e582eb52e000000b90c00000000010000000000000000000000000000001c318900530079007300740065006d0033003200000018000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cjnfetvnb.QQBExpTool C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\InprocServer32\ = "C:\\Windows\\SysWow64\\wbem\\cjnfetvnb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cjnfetvnb.QQBExpTool\ = "Explor.Tool" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\ = "Explor.Tool" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 56003100000000008c583a61100057696e646f777300400009000400efbe874f77488e5833b52e00000000060000000001000000000000000000000000000000253c1f01570069006e0064006f0077007300000016000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cjnfetvnb.QQBExpTool\Clsid\ = "{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cjnfetvnb.QQBExpTool\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4e003100000000008e5833b510007762656d00003a0009000400efbe874fdb498e5834b52e000000ef1300000000010000000000000000000000000000008f5053007700620065006d00000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4e003100000000008e5833b510003039343400003a0009000400efbe8e5830b58e5833b52e000000d73302000000070000000000000000000000000000008f5053003000390034003400000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCF2A9FD-79EA-4242-8CFF-6FA25FA3DB7A}\ProgID\ = "cjnfetvnb.QQBExpTool" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1544 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1544 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1544 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1544 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1544 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1544 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 1544 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 1544 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\EXPLORER.EXE
PID 1544 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efae33bbb57cc1eb8d66d168b35951fa_JaffaCakes118.exe"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Windows\system32\wbem\0944" /t /e /g everyone:f

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Windows\system32\wbem\cjnfetvnb.dll

C:\Windows\SysWOW64\EXPLORER.EXE

EXPLORER.EXE /e,C:\Windows\system32\wbem\0944\

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$306609.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp.hjob123.com udp
CN 182.61.201.91:31890 udp.hjob123.com udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.201.61.182.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
CN 182.61.201.91:31890 udp.hjob123.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1544-0-0x0000000002290000-0x0000000002291000-memory.dmp

C:\Windows\SysWOW64\wbem\cjnfetvnb.dll

MD5 2b03da7fdb94c5922ef7b3c71cfef71b
SHA1 65a0f25224e5686b5f2f8c29a2f296da3418365a
SHA256 88b4f3f76a8897f934e987bddc07f648856954d5fa1df20c2fee1f950831aee8
SHA512 5f1210acffeecf481f60938c0b79c397af2374763d794d2ac7f273345a488d21eaa3c3fbec0789dbba3a7463258a6b95ddf1fd2ad70a269dd9b4bb29bac37204

memory/1544-7-0x0000000000400000-0x00000000004F9000-memory.dmp

C:\Windows\SysWOW64\36a550d6bd.dll

MD5 7e4f42039fb26906eb3bfa45e42c08fd
SHA1 1036b5b56860b2221677739774f79b669416ed3b
SHA256 f38f7684d244d71477bf5231ab11e8e5b03fd6bb09caa1b7681dddb1e0525ba2
SHA512 e4ac00a776b2e510c893792db88717df51d554ba8fe5af318c75f5121f6db352bcfa9d9b547d44d5d3c6e58b77944148b1651689b89a3ba92e8a1c7c32e2617a

memory/1544-22-0x0000000000400000-0x00000000004F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$306609.bat

MD5 e15adfdbce83ca0ea384e0ca9aa2b2d5
SHA1 c44824735d3ceb94dc5d3394139e10309841d96b
SHA256 ab98168a47e7e762f5c6aa20239a55117f8563dc434c4c9530b2befd59059f19
SHA512 d5a6c87464eab7372ba0e72267d271d45b1a08e1ed61ebc8230052329323069b0175a0a260ec59573fcb60fe6549658d82649285d84ec15b4571db9c6b095643