Malware Analysis Report

2025-01-18 21:38

Sample ID 240415-vpt88adg9x
Target f19008d768186f383e4689279af615e6_JaffaCakes118
SHA256 401b2c3651b6f7aded8c3a691c7852aeae6a18798dafc0d727e93aff776ac52f
Tags
adware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

401b2c3651b6f7aded8c3a691c7852aeae6a18798dafc0d727e93aff776ac52f

Threat Level: Shows suspicious behavior

The file f19008d768186f383e4689279af615e6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Checks computer location settings

Deletes itself

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 17:10

Reported

2024-04-15 17:12

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{890C7964-9320-4055-BE11-7D7B562A6417} C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\helper.xml C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mstrans.dll C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\VersionIndependentProgID\ = "Helper.Helper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mstrans.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\ProgID\ = "Helper.Helper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\TypeLib\ = "{C96aC303-ADB0-4f4b-BBAA-D037694D3590}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\ = "Helper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s mstrans.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F19008~1.EXE >> NUL

Network

N/A

Files

C:\Windows\SysWOW64\mstrans.dll

MD5 fb27d1cac152992654ae662e34f5b350
SHA1 4af2613c8772adf849bc099cf7e931f378a48d37
SHA256 a541d24d0c3713d22a21b2310ebf170929f10371a4528fd5ab1181f7f622aab2
SHA512 ace64a4efe00ef589ccfbb8c83a2d3fbb3c9e55665c98195f523e8ec54e59d0f1a4576603c4fe6b8d2d0491b8b5ce45f3c69d254f6912ea2c56fd85a8d789c1f

memory/848-4-0x0000000020000000-0x0000000020023000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 17:10

Reported

2024-04-15 17:12

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{890C7964-9320-4055-BE11-7D7B562A6417} C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\helper.xml C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mstrans.dll C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\TypeLib\ = "{C96aC303-ADB0-4f4b-BBAA-D037694D3590}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\VersionIndependentProgID\ = "Helper.Helper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\ = "Helper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\InprocServer32\ = "C:\\Windows\\SysWow64\\mstrans.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{890C7964-9320-4055-BE11-7D7B562A6417}\ProgID\ = "Helper.Helper.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f19008d768186f383e4689279af615e6_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s mstrans.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F19008~1.EXE >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

C:\Windows\SysWOW64\mstrans.dll

MD5 fb27d1cac152992654ae662e34f5b350
SHA1 4af2613c8772adf849bc099cf7e931f378a48d37
SHA256 a541d24d0c3713d22a21b2310ebf170929f10371a4528fd5ab1181f7f622aab2
SHA512 ace64a4efe00ef589ccfbb8c83a2d3fbb3c9e55665c98195f523e8ec54e59d0f1a4576603c4fe6b8d2d0491b8b5ce45f3c69d254f6912ea2c56fd85a8d789c1f

memory/2144-4-0x0000000020000000-0x0000000020023000-memory.dmp