21d1800941f0ded92a86f74f594496c92eaf05ae5cec42ef1836bc2dbd220582

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe
Size

1.3MB
MD5

90ee8342ee7b786b303981daf9b35f84
SHA1

115ab8654cf2950e359ba1107330260cdc0c556b
SHA256

21d1800941f0ded92a86f74f594496c92eaf05ae5cec42ef1836bc2dbd220582
SHA512

1f82325dac1ac5db4103855a1401f7b0e71a254cd19bacfa4c6287a77af7d45316be4ca7c7034d06a71abd35454e56eeb40be327576f756782c1b6a6b739ad39
SSDEEP

24576:SUavQvvOLF+Wma8e1nDm0XKSe3NgzXB7/0WOTOZZsDMXVnvtD9bXl7NvbhpM:SUaYvmdCepm0XONgT90WOTOZZsDMXltq

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

U6ftBfv.exe

pid process

2112 U6ftBfv.exe
Loads dropped DLL 4 IoCs

Processes:

90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exeU6ftBfv.exeregsvr32.exeregsvr32.exe

pid process

2236 90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe
2112 U6ftBfv.exe
2300 regsvr32.exe
2988 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2112	U6ftBfv.exe

pid	process
2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe
2112	U6ftBfv.exe
2300	regsvr32.exe
2988	regsvr32.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

U6ftBfv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibfbbflhdimnpanfjlbegfghhiodecil\1.0\manifest.json	U6ftBfv.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

U6ftBfv.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker"	U6ftBfv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\NoExplorer = "1"	U6ftBfv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

U6ftBfv.exe

description	ioc	process
File created	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.tlb	U6ftBfv.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.tlb	U6ftBfv.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dat	U6ftBfv.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dat	U6ftBfv.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll	U6ftBfv.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll	U6ftBfv.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dll	U6ftBfv.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dll	U6ftBfv.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeU6ftBfv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	U6ftBfv.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	U6ftBfv.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	U6ftBfv.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	U6ftBfv.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

U6ftBfv.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment"	U6ftBfv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.dll"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Implemented Categories	U6ftBfv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker"	U6ftBfv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID\ = "YoutubeAdblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID\ = "YoutubeAdblocker"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.dll"	U6ftBfv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Programmable	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	U6ftBfv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	U6ftBfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	U6ftBfv.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exeU6ftBfv.exeregsvr32.exe

description	pid	process	target process
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2236 wrote to memory of 2112	2236	90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe	U6ftBfv.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2112 wrote to memory of 2300	2112	U6ftBfv.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe
PID 2300 wrote to memory of 2988	2300	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

U6ftBfv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	U6ftBfv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} = "1"	U6ftBfv.exe

C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
"C:\Users\Admin\AppData\Local\Temp/00294823/U6ftBfv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2988

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.dat
Filesize
3KB

MD5
0a36dc65e730c415d3bcd5edfc87d61f

SHA1
78aa977adeb8f6134a9c286e0b44ada2ae4aefbb

SHA256
c777ce051b3ffdc60df65b9b8c0e38d96b4ad185790e59c2d277d861a4e9473f

SHA512
31b8bad7baac7e914d2eecd2921d8793b27fe2790e442cd00fb9104a4976c960a248dfd076e1b3b1eeec0a3eba4038a04990653abc6e439ef4ee38efa5898c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js
Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest
Filesize
106B

MD5
50452501ade8b9448fa931bb4bea21c4

SHA1
0736a83abdd0af5685b9657279029d62ad036993

SHA256
b23397cdb3a248dbc389f38a07707da7ce8d954b4230c0ffdb67eb69f9c9e654

SHA512
905f414caa5c3a0d4fe505bdfd9f2b76655326a5ebe96f0dbef9df172a2e561c17dd4d56bb637ad395ac698bd614c174ad5f3fabddd36a3d7382944c944cf3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js
Filesize
9KB

MD5
61e93ac555bbff0b5647ef4aa24b8629

SHA1
cb0e38a297d0113c9805890fe5e63f75a5b2aed4

SHA256
d9cdfa6a9ca356f4911e079fa47a56fbdf7700a4830a0e190e31843ac0086307

SHA512
6abbec8837e9f1d65039c836740984f279f2e5c24e5f04aae0676d0466eede1604c4a05f130069ae1cc30b34d44aa3c2b75a12b5e4279767a84db3c5dcc4a906

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf
Filesize
610B

MD5
98723f15454a2ecd49db303104f16037

SHA1
8d205343e5c90b2eae90bb87a19033148538b9f8

SHA256
c57fe93063c0b959a29a62a874cce8c39bbb01eb56fe650f93721bdae713d5ca

SHA512
5fd4d7471c502022b4ae30aa1c35e09c317c49aed030bd411d2e2c7667c5b4998d2e4bb7e19358ceef68e3bb666099ca0a568943ddf90c254f68fc2119047bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\Ih6wXqy.js
Filesize
5KB

MD5
96187b0ed17a091dfede72ca246e2498

SHA1
1ef3486c647c50e6506052a0063be6cdc07a9e38

SHA256
3d00d628eded5e566c631d153248f4fdbcb9d4ef8e2abc89ce7f4aab72363dcc

SHA512
054de08ce6228290fe17b1093b0ea0b4ff26f09e7b2d507ebbec6d6dc361f19a6e2c11ab671c3746f7510185c366c12615173a5495db77f3c367a41b0bba88b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\background.html
Filesize
144B

MD5
ffb25881891c497b4c2312791670a4c7

SHA1
5960f2f88e769702ff8837f08d123526b3b2b354

SHA256
99095a8ce5c6d67aacc7e0311d153f94d68a8c1ddda406ce41a24fdd9e94a358

SHA512
4f976d4ae3cfc7da974b70eafd111bf9ed76c25b2167bff29352a0a3ecf587ed93506631b92672185084fb7454dae75c2005b5e092dd45b43afe156360be25ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\content.js
Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\lsdb.js
Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\manifest.json
Filesize
508B

MD5
e2832fbedae560495781610b5c511afa

SHA1
95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108

SHA256
6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2

SHA512
2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\sqlite.js
Filesize
1KB

MD5
73a28b445cb1854ee8f62a9df59bd7ca

SHA1
9e811ab93797974f1ec15103cd1e01b04d4e5b5c

SHA256
0d7fe287680ed1fc12921d0d6b3666ffc499660d5f0e687600c827880d95773a

SHA512
03380ce43d65024dd546cc70ee204ee2bd53b55f7b23ea23b57a3a1d352997898f4ea8dd6f1372ce1e16bec189383dedc5a10b5e1ea7ef13aa56854be90da6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.dll
Filesize
363KB

MD5
9afeb7fa65aa31c6b871237d14a8fb94

SHA1
58f99ae9ea22f56f28b6c5fa798bda3109f297f6

SHA256
4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a

SHA512
311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.tlb
Filesize
3KB

MD5
9f260bfcd1ef83627ceb2792ee3324f5

SHA1
078164529ae639e5ff9cf0e4003a82259c2aace8

SHA256
8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526

SHA512
3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.x64.dll
Filesize
398KB

MD5
410bb7e2c88f92de31b83a173e173e2d

SHA1
ff40233a038f80b7b1513431d6a9632e8f0e39f0

SHA256
afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3

SHA512
d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
Filesize
356KB

MD5
6223a19e77e3b9b4f633e8863ee1cf40

SHA1
ee5ec9cffb59790d553f5a3394ad5808e1e37446

SHA256
d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46

SHA512
66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads