14c84058c3b9d2ef03bfcaf971cf6ea5488248ddb5398b4e51dbb4079d275997

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe
Size

1.5MB
MD5

91354a2b989c2a90e71af9dc57545a1e
SHA1

0137cebb0373fa719c47078be2ae8b0ceeaca26a
SHA256

14c84058c3b9d2ef03bfcaf971cf6ea5488248ddb5398b4e51dbb4079d275997
SHA512

dc7e851ca33081ec67390a019324a104de7a1af49b3e9bb6609cb313f38ad6bb3cb3c41d917c30e9dc089f20ed2dac73913f6178e0ad0652664e67a6de3c16dd
SSDEEP

24576:rh4Ti9ZxKgpXAtXiRx50EWo/nOJyi4xxFU9pOkAZWG57yyU3481RAbT6i0BO8KE:rh4Ti9Z9pwBiRx+b4DSAkW5/xiAP6zOw

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kmP.exe

pid process

3320 kmP.exe
Loads dropped DLL 3 IoCs

Processes:

kmP.exeregsvr32.exeregsvr32.exe

pid process

3320 kmP.exe
1984 regsvr32.exe
2800 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3320	kmP.exe

pid	process
3320	kmP.exe
1984	regsvr32.exe
2800	regsvr32.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

kmP.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eceocgppmpndinofealdcccbnlcbockd\1.0\manifest.json	kmP.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exekmP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker"	kmP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\NoExplorer = "1"	kmP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

kmP.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\fR.dat	kmP.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll	kmP.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll	kmP.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\fR.dll	kmP.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\fR.dll	kmP.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\fR.tlb	kmP.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\fR.tlb	kmP.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\fR.dat	kmP.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exekmP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	kmP.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	kmP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	kmP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	kmP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

kmP.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.tlb"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID\ = "YoutubeAdblocker.1.0"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID\ = "YoutubeAdblocker"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID\ = "YoutubeAdblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories	kmP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	kmP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID\ = "YoutubeAdblocker"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.dll"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}	kmP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kmP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	kmP.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exekmP.exeregsvr32.exe

description	pid	process	target process
PID 4020 wrote to memory of 3320	4020	91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe	kmP.exe
PID 4020 wrote to memory of 3320	4020	91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe	kmP.exe
PID 4020 wrote to memory of 3320	4020	91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe	kmP.exe
PID 3320 wrote to memory of 1984	3320	kmP.exe	regsvr32.exe
PID 3320 wrote to memory of 1984	3320	kmP.exe	regsvr32.exe
PID 3320 wrote to memory of 1984	3320	kmP.exe	regsvr32.exe
PID 1984 wrote to memory of 2800	1984	regsvr32.exe	regsvr32.exe
PID 1984 wrote to memory of 2800	1984	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

kmP.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} = "1"	kmP.exe

C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
"C:\Users\Admin\AppData\Local\Temp/2fff6c69/kmP.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3320

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\background.html
Filesize
141B

MD5
bbc71f16a4d2a527706e0605a8e4d33f

SHA1
bdc52f38e6f5d4c549cac979456e14b08a3b960a

SHA256
a324b4e9eea5afd5d0b31f1d3c1abf058b3637af83836922ad2597775cc10e62

SHA512
7acf3808917f532003ac27876987bdd649f0c955b8145a1aa51f88892841e54788304ab85ce395e85b47e935fad07270e5782f3d83730292baa3bc1343bf9ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\content.js
Filesize
144B

MD5
0654917402505bc71a231599d02e09a2

SHA1
e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff

SHA256
9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae

SHA512
3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\manifest.json
Filesize
508B

MD5
e2832fbedae560495781610b5c511afa

SHA1
95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108

SHA256
6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2

SHA512
2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\rzIq.js
Filesize
5KB

MD5
3214f4dd041b3e0b360185d0f3323e58

SHA1
0a3e3a0705ebebef467de4a69845fc562c97ff07

SHA256
b5c836d9c4453523290e5cbc991e88906c90d87528ec08955e6e4950cfefdd3d

SHA512
552fe62d06f56679a69074b866a6887420b9d7ccfd46ee62c024d2936e6bf87f013fac77ad4ebb5082ddf6a5b97c1060ba508f1ac580b9f45e8f2617dfa4158d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\fR.dll
Filesize
416KB

MD5
aabcede5b824bd00717350b6b7474c46

SHA1
86c7cf982e18ca23f8ef30718417903dc010b00a

SHA256
7cf78eed551c7df977db6b274e3d25a41c80b9cde614f6eeb267f56e89fd78ab

SHA512
5a553ac22d08f6157639328e76016b488de7d92dae5d5d814ffae45ee0ec0e0b77c174ccb6ae851eeaf5e871d58a116d8ff768470d3e1575c58f506cc5563764

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\fR.tlb
Filesize
3KB

MD5
0470e51ab6155fa6ab7c5ede0fbc9957

SHA1
f660d5661c0fadb56c5608e2aaf019dea75c4878

SHA256
4e830314ce7d9287d6d9344db8baac12080c9174d34155854db62d950775ba7f

SHA512
5e915c92b4f2555bbde1972227f002cc90492020de65329ab83dfb7779fe6c4f378db626ddf490046a0df49f5c218bcb8b4eeec530a56f24c8ec0a16c54c2240

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\fR.x64.dll
Filesize
464KB

MD5
a4a6482bc28e62a61ad01ceed7bd7d44

SHA1
12d3c0974d22dcba264088d9d68bc1eb20b988e5

SHA256
4a2a6fd3a04d31249310edb0c04b11d9afba4650f14e57a10884e61f430a0019

SHA512
241770653ae1b70cff9f06618d56c1756aec63210ab3df5e4e2e3c5e9b937369edf0e55b04df12d0046d199b4f27f1459efdcd4215a5ddc78d892190dd76ab1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.dat
Filesize
3KB

MD5
ee45bc4cde3c3ccd38614ce4ee3f1378

SHA1
d62a6739ea6fdcf4580c5170c74e4a3e8c0a77f0

SHA256
819bd2056c961add6ba09b0e054f65d978ff717fb6dfb3ac1f28f92d537a5695

SHA512
780f85f065292b7ab716ee723ad7bcf4eb85a7ebd20c4e316b892a3406bc8a9cecab465f24c405a6d49819648f1b5e3ae234f41061412cc18a97d399f497119c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
Filesize
486KB

MD5
67c0e85aff48138c7e24f222546ec1cb

SHA1
abd1e48ea7d820ec19b8b91556acf8b064eb4ba7

SHA256
6e41774bd669cccac6aa2901ff413a130f819bc8c754e9ef4d1ed2a8e0721f22

SHA512
883f6d3fc1933be85bc2a07023c6143bfba4cd914ee190300fa166b2b018f78e0d79d12ce7ce7d2ff0a38b6f126c5cacaec8074e33fa237b73dd0c0d08bc763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\chrome.manifest
Filesize
23B

MD5
faf31174ddc46d5da93f1c5a2033a945

SHA1
b6e4a5a8611d96919168c99065911177830370dc

SHA256
4b3186f616cf2a0402c89a9d6d6c7ad30d907ff44cada4eb6856e97966c2889f

SHA512
d81bf9adff9c4f82e3f5264612c2e702161cc1e6a843bde88b3414f85ba646bba6fe4f5d479fceb35e8327a4a610027bba3533e38c2fa0986bd25ff1a8485250

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\content\bg.js
Filesize
7KB

MD5
597c8b32820f58859df39f9281621e76

SHA1
ec0b0e8b6b81903d71c4c17c3cb5587974f0c786

SHA256
c49e030c820e4f22419770ef44f3f56965a4b5809cd67bb8b6218ddd0e04bd03

SHA512
2ce2763474c595f8a3426b3707898e87ef43d5c70b509fbd16c894d611c998ead0cbf8648526ec099069eb01b0ee2c77081c2d21f975a832bc3e691e97c87faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\install.rdf
Filesize
608B

MD5
802d93a96420ae2ad114e0c3902e57df

SHA1
72e2194cc5ee374fe021914e1bd4f5feed388d38

SHA256
aaeee2ec5bbe95d1243c4671ca8cb28d5dc657ea96b0a8c5fe5d05c9ad87e5bf

SHA512
f9fa1a93da19ac7262bd4654fda1f249735d2e7e42129adbc06f0807bf64b352848f5095fdbb13895c6376aab7f82d4e0332ea7a0a94f189cda6105b2d2b4fc9

Download Submit