Malware Analysis Report

2025-01-18 21:40

Sample ID 240415-kp2cesda2v
Target f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118
SHA256 f02074eeb1cba11ac24a507940543b0ffb18121b7a23a556bfb53e0c74a8fc84
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f02074eeb1cba11ac24a507940543b0ffb18121b7a23a556bfb53e0c74a8fc84

Threat Level: Shows suspicious behavior

The file f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Modifies Internet Explorer Protected Mode Banner

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer Protected Mode

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 08:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 228

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 228

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 248

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 228

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4348 wrote to memory of 208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4348 wrote to memory of 208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4348 wrote to memory of 208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48955792-5def-1512-197b-8ff3172ceb3b} C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48955792-5def-1512-197b-8ff3172ceb3b}\NoExplorer = "\"\"" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\nss6777.dll C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\adzgalore-remove.exe C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48955792-5def-1512-197b-8ff3172ceb3b} C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48955792-5def-1512-197b-8ff3172ceb3b}\ = "adzgalore" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48955792-5def-1512-197b-8ff3172ceb3b}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48955792-5def-1512-197b-8ff3172ceb3b}\InProcServer32\ = "C:\\Windows\\SysWow64\\nss6777.dll" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48955792-5def-1512-197b-8ff3172ceb3b}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 adzgalore.biz udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc6718.tmp\System.dll

MD5 32465a07028b927b22c38e642c2cb836
SHA1 309cac412b2ecf6a36f6e989c828afcdd8c7a6e4
SHA256 eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292
SHA512 9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

C:\Users\Admin\AppData\Local\Temp\nsc6718.tmp\Math.dll

MD5 468914ab4ea3afc6fda29031c758394e
SHA1 d3b632778a03567efa761401151bfe80d0fe956c
SHA256 8a8d78657f0f6b44f18b16e7eea3e62eef6720e04cd2efc820d62bbe987afac1
SHA512 0b3df17a3a17a82ba7092ff384c7d820d9f1103fcfa732fb399cf0ff065ec6913a73bea433e19ad787bccf272059e39d196322445d9a6327bb25738f343926ce

memory/928-46-0x0000000002260000-0x000000000227A000-memory.dmp

memory/928-60-0x0000000002260000-0x00000000022B2000-memory.dmp

C:\Windows\SysWOW64\nss6777.dll

MD5 dc21e047a5c144e913f368423786d6cc
SHA1 272ae16afdbe0994ad797996ede07b8e045ca036
SHA256 b7f8e9c663515cc1e1deaddabe285959c668ffc6346d82ae97e35f021d30afa9
SHA512 301689078e21b17ae27e5a4e6f3235510b0c3ec2d1ec022ba5ac0c1b12e4e0bbf18d538a0ee362b39a0ad8667223c15f2b2a7e7a2315bbcdbd73545582bce9bd

C:\Users\Admin\AppData\Local\Temp\nsc6718.tmp\NSISdl.dll

MD5 997ae296af5b7ca9aaa52f6844075439
SHA1 9814f0b09219ac2eed875d842b9362c3b32bec6f
SHA256 1d74275fb0ddcb7c01a92c4ea5c7ef137cdfa0b48ae2b293f0ea178b355cbaa8
SHA512 a81ee17129278a185e91f6615da2d9e47940580fcaac3806ace17a0c0e48995f8e85de6deedcec502782141acd381fb7dd1c72a93fcd40112afadc3741572349

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsBrowserOpt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsBrowserOpt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsBrowserOpt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\adzgalore-remove.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\adzgalore-remove.exe

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\adzgalore-remove.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 31709de9a5d9f2906dce36c836e4e055
SHA1 cc59ca78fa077fff9384570189ac16b091bf49ec
SHA256 21f7cb13c3a8d35e8533ffa55485a4c1c7c35e41d93893cbc0dda43b3b00e7e5
SHA512 bfd57f3bf8ec9c7ed04e51e67b2e0f0428cb811f0d1bf2015b78a0d5e93c65aa4da1648fe49bfecd88b7f613ef6ba4b9106fc19053c39d96011d0f18ce2ddf74

\Users\Admin\AppData\Local\Temp\nsyEC3.tmp\InstallOptions.dll

MD5 cd6e705cc6992e869f488ab211ac37cb
SHA1 c9c71edd929c15bcf5ee286d4a9e9259d1590eb5
SHA256 44e729371099650904bcd5db0af7fdad6ffc01e336ae464f0bb151f329175292
SHA512 460173bbcff640721e54bb403e1f46d274e649a9db7d3b83d009a7f00354d434874dfdc009679e98cfb05548801b9eee78c25fe17b083fac396087ad3327debf

C:\Users\Admin\AppData\Local\Temp\nsyEC3.tmp\validate.ini

MD5 ef89a0105c8871f78c07ac75c3a8ac2f
SHA1 1ebb767749c27f72f290c5cb161deb6c40ebafd2
SHA256 04b5169acbff95e8037e5cc617b9824ea6f321498461a74969717ec4c63a7836
SHA512 6c7a776a53c92c855483939e7d3caf48dcedd775bbd98e6024f3d1cf2383f6a2b66fc135d5ec2e3a95d9f991e5a4e3c32660550a921e4795cad4f2729ce36c19

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\adzgalore-remove.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\adzgalore-remove.exe

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\adzgalore-remove.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3676 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 31709de9a5d9f2906dce36c836e4e055
SHA1 cc59ca78fa077fff9384570189ac16b091bf49ec
SHA256 21f7cb13c3a8d35e8533ffa55485a4c1c7c35e41d93893cbc0dda43b3b00e7e5
SHA512 bfd57f3bf8ec9c7ed04e51e67b2e0f0428cb811f0d1bf2015b78a0d5e93c65aa4da1648fe49bfecd88b7f613ef6ba4b9106fc19053c39d96011d0f18ce2ddf74

C:\Users\Admin\AppData\Local\Temp\nsyF3D9.tmp\InstallOptions.dll

MD5 cd6e705cc6992e869f488ab211ac37cb
SHA1 c9c71edd929c15bcf5ee286d4a9e9259d1590eb5
SHA256 44e729371099650904bcd5db0af7fdad6ffc01e336ae464f0bb151f329175292
SHA512 460173bbcff640721e54bb403e1f46d274e649a9db7d3b83d009a7f00354d434874dfdc009679e98cfb05548801b9eee78c25fe17b083fac396087ad3327debf

C:\Users\Admin\AppData\Local\Temp\nsyF3D9.tmp\validate.ini

MD5 a0a691e0576da4abc2591ee58605d51a
SHA1 ac19010baaa432c6cb66a941f20428d805b9653b
SHA256 51c9c30cc14ffe9fb7e0512eaffa39a66eb15842bd3f483ffd325a82d33e3e9c
SHA512 f5b3b884d6067d8389dfbcf22318f4f3ede3cf5af0304be1e73196cd1686cab9244c769159b34703fd3cddd4084c449c9515d629f076345b1ed2d830552873c5

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1304 -ip 1304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3028 -ip 3028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 139.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{722d1b64-7c40-dfde-8086-0dbe5c58715c}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{722d1b64-7c40-dfde-8086-0dbe5c58715c} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{722d1b64-7c40-dfde-8086-0dbe5c58715c}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{722d1b64-7c40-dfde-8086-0dbe5c58715c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{722d1b64-7c40-dfde-8086-0dbe5c58715c}\ = "adzgalore" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{722d1b64-7c40-dfde-8086-0dbe5c58715c}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{722d1b64-7c40-dfde-8086-0dbe5c58715c}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 2000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4412 wrote to memory of 2000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4412 wrote to memory of 2000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 228

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be151faa-c0d4-377e-ae0c-a1fa65f39c87} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{be151faa-c0d4-377e-ae0c-a1fa65f39c87}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{be151faa-c0d4-377e-ae0c-a1fa65f39c87}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{be151faa-c0d4-377e-ae0c-a1fa65f39c87}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{be151faa-c0d4-377e-ae0c-a1fa65f39c87} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{be151faa-c0d4-377e-ae0c-a1fa65f39c87}\ = "adzgalore" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{be151faa-c0d4-377e-ae0c-a1fa65f39c87}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2} C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2}\NoExplorer = "\"\"" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\nst129A.dll C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\adzgalore-remove.exe C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2} C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2}\ = "adzgalore" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2}\InProcServer32\ = "C:\\Windows\\SysWow64\\nst129A.dll" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1e3aa6ef-ba27-04cd-f3cb-2260753c2ca2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0afec022f8492766bfefd0d07ef8abf_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 adzgalore.biz udp

Files

\Users\Admin\AppData\Local\Temp\nso11DE.tmp\System.dll

MD5 32465a07028b927b22c38e642c2cb836
SHA1 309cac412b2ecf6a36f6e989c828afcdd8c7a6e4
SHA256 eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292
SHA512 9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

\Users\Admin\AppData\Local\Temp\nso11DE.tmp\Math.dll

MD5 468914ab4ea3afc6fda29031c758394e
SHA1 d3b632778a03567efa761401151bfe80d0fe956c
SHA256 8a8d78657f0f6b44f18b16e7eea3e62eef6720e04cd2efc820d62bbe987afac1
SHA512 0b3df17a3a17a82ba7092ff384c7d820d9f1103fcfa732fb399cf0ff065ec6913a73bea433e19ad787bccf272059e39d196322445d9a6327bb25738f343926ce

memory/2000-45-0x00000000003E0000-0x00000000003FA000-memory.dmp

\Windows\SysWOW64\nst129A.dll

MD5 dc21e047a5c144e913f368423786d6cc
SHA1 272ae16afdbe0994ad797996ede07b8e045ca036
SHA256 b7f8e9c663515cc1e1deaddabe285959c668ffc6346d82ae97e35f021d30afa9
SHA512 301689078e21b17ae27e5a4e6f3235510b0c3ec2d1ec022ba5ac0c1b12e4e0bbf18d538a0ee362b39a0ad8667223c15f2b2a7e7a2315bbcdbd73545582bce9bd

memory/2000-54-0x0000000001E80000-0x0000000001ED2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso11DE.tmp\NSISdl.dll

MD5 997ae296af5b7ca9aaa52f6844075439
SHA1 9814f0b09219ac2eed875d842b9362c3b32bec6f
SHA256 1d74275fb0ddcb7c01a92c4ea5c7ef137cdfa0b48ae2b293f0ea178b355cbaa8
SHA512 a81ee17129278a185e91f6615da2d9e47940580fcaac3806ace17a0c0e48995f8e85de6deedcec502782141acd381fb7dd1c72a93fcd40112afadc3741572349

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsBrowserOpt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsBrowserOpt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsBrowserOpt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-15 08:47

Reported

2024-04-15 08:49

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A