a173bef5d448b0dcfdac51b96918407b6eadbf669d2c391862a4dcd0f6bf9f09

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Size

17KB
MD5

fd7ff2d97a7f7abe9fd7e9bc8f46a30a
SHA1

31bc06f50441461de920a49a2bd6451a5ad56814
SHA256

a173bef5d448b0dcfdac51b96918407b6eadbf669d2c391862a4dcd0f6bf9f09
SHA512

0417a439790cfef20cbbcb83e9670c20da893d3be4c9241210c447c1eed88e1bfbd3e7a36a67fa5858736c69b4abbc1f65b85839979a08c881a79e6fe99829cb
SSDEEP

384:4Fy7zxdIzr2q2pe0VuVB/0rsBz4sqaX5h+mHx3iWlW8PDI:lYrl2pvYVB0rijXi0x/nPD

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001224e-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2616	sbsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-1-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x000b00000001224e-2.dat	upx
behavioral1/files/0x00080000000122cd-8.dat	upx
behavioral1/memory/2616-14-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2584-15-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.gateietool.com/redirect.php"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.searchagate.com/index.php?b=1&t=0&q={searchTerms}"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Search	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sbmdl.dll"	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
2616	sbsm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2616	2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2616	2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2616	2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2616	2584	fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd7ff2d97a7f7abe9fd7e9bc8f46a30a_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\sbsm.exe
  C:\Users\Admin\AppData\Local\Temp\sbsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sbmdl.dll

Filesize
8KB

MD5
3f95bf1f1cd9768e185fe74a84536693

SHA1
9cd59e8408f11ea2628162a858796c2c2023dce1

SHA256
08e98004486dfc4aaf540168253040ecb968cbdaff65f57453b449bf5e34604a

SHA512
639a9a07ab03d0d529e55e2bb11fe29473b92a22053fa3a8b889f2158621c6d2c407964d28b5ac73c9edd9733a7c819e3da445ce9f6e4968697e1488b460f535

Download Submit
\Users\Admin\AppData\Local\Temp\sbsm.exe

Filesize
4KB

MD5
3b7a68fdd1efe5bd0a243f5274bdda8a

SHA1
a1820ce5a9e80dd3904155e3f999615fcd0e711d

SHA256
33b9a3d58f8d3a3e6d104e1cdcc97b4d54e73f980a14ffa2fec1013e5fa35a56

SHA512
8d28436be500418c2ba9618ef35a98903c5d5d549b479a715541662e6c400cfb25842a3415171fb449a312b8cad25c949ab0fa739862c2f095afda03a5d82ee7

Download Submit
memory/2584-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2584-13-0x0000000001C90000-0x0000000001C97000-memory.dmp

Filesize
28KB

Download
memory/2584-4-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2584-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2584-17-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2584-20-0x0000000001C90000-0x0000000001C97000-memory.dmp

Filesize
28KB

Download
memory/2584-21-0x0000000001C90000-0x0000000001C97000-memory.dmp

Filesize
28KB

Download
memory/2616-14-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download