Malware Analysis Report

2025-01-18 21:53

Sample ID 240622-fg4elasglk
Target 0159711e38493359577cae469a1eaf71_JaffaCakes118
SHA256 5f29c7fc48885213bffc99aef57e0019e56a0b45e831915944620840a5d7ba61
Tags
adware persistence stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

5f29c7fc48885213bffc99aef57e0019e56a0b45e831915944620840a5d7ba61

Threat Level: Shows suspicious behavior

The file 0159711e38493359577cae469a1eaf71_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:51

Reported

2024-06-22 04:54

Platform

win7-20240611-en

Max time kernel

117s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rtpsktwkyfj = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C289360-65AC-9288-F2CB-545BEAEC1E3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C289360-65AC-9288-F2CB-545BEAEC1E3B}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a039050000000002000000000010660000000100002000000029bc5995df1584f45a0eca5209f09a5ee9b46d2e2333d61e9f2ba64576724d26000000000e8000000002000020000000e8eac614298fb1995046387e47233772bd1184d498dc124b3388bd5063f3e7499000000070c9c1860eaa703871461694e2a5413f553f7abe0c682d3dc5a7352e3199329f12348c7d3aeb38c8d67bee78d34ac895065cbada8dc2f77952b003367abe618650f7d902c0d8bbaeb6850bb874e704f5a06225871ed9ffdb1960107146930696f862a6b246134140411bb14ba9144bcb549302f7b416bcd10d7bcbf34e9271ee5cc197f28efad10780bb7d551008433740000000002458dbbe0568ae876a4ae19e131500a1901d4144fe5e1cdf84d82187b48cc2c42295140404d7ea2f0402a6a8b151e1b21f79babcc6cb3975a36c58dcd34397 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19287F71-3053-11EF-AAAD-627D7EE66EFE} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425193761" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3059e7ed5fc4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000006b91a5c10c8ca67a5e642e92a89e84575195e94d6257257678b2ce9263e1839c000000000e8000000002000020000000eeb56644a5b5ffe16811baec3bd05545782ec4893dcb799e2a7004f56eb04fdc20000000ca24eaeecb10be1859ac4c509ea1b000046b432d1755cbcf426d97004218747340000000dcf72f80adf95542590bf157fc18d55a8498b061d9083200f2a2152022dcf00b52137b13fa727d778b95a02db7a9163e123272740d457294f829e4fdaab3e4f4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C289360-65AC-9288-F2CB-545BEAEC1E3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C289360-65AC-9288-F2CB-545BEAEC1E3B}\ = "snappyads browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C289360-65AC-9288-F2CB-545BEAEC1E3B}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C289360-65AC-9288-F2CB-545BEAEC1E3B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C289360-65AC-9288-F2CB-545BEAEC1E3B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 new.snappyads.biz udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2072-0-0x0000000000280000-0x0000000000282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab25AC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar266B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc07c46a7faa41cd1284af1fd8cdb057
SHA1 ac0bc33020ba837a475f26c4f5a3e7c2fbc3b8f7
SHA256 5fb50d8287f70fd21867b3c04a6c780ed975ef4fec5611181fb51df70e5615e4
SHA512 41fefcaf5a57445027586fed4a544ba0f03283face29213e34d72ae780a509d938900b84a66c416a6fec23a6a0df7371e846354249535712d1e94abe2747143c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2230bd9e5b2d3f00a9034e7c10f1e78
SHA1 785815ef304d57fc2e84fd35d3eed9cc119eb232
SHA256 ac62981f54c96a6fcf16ba455fd00baa2903a9b1e42b9144122d6c4727aa69ee
SHA512 0ff7e67c03e8417cbedf9d0a5d92b11f8eb0fa41238b24807538d6ad55989834a454002e9ea701ca0b4ec23b81d3bbb11d349a0442d9eb410f6e064e6e4f7042

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f9f5329d7e7e04e2599f457bc0f43d7
SHA1 e4e3cb9bc40f2525ac0f250a20b3c18fe84415ec
SHA256 4860a39ec7872ad2d1fb5ba56ee0f438719eeb80e673ee58cc50a34bfc345048
SHA512 75e83224b123de1fbdcfc27e43c99d48838483ca8c7973769ee9cd182f9a0fe5bf723c9ac1a2067b4a30c10103e18f22cf6ef93c199e660d50f4192decded394

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c18fe52697be5cffeb5f3c43788676d5
SHA1 a765647085af67abba9329a2a60b00ed2526bc4e
SHA256 3222c510e0470d9ecbfaf02cc8955c6839ce7fcf06d3d33ff23499d467c4e912
SHA512 f52699c702385f28210399f16cc4d906a55317f5e5020b0ca196d0fcde867c3592901963287b6c0d9cdf43424a0b939ca72d1fad45a094e8a36db99955aaeb02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1412674108d679fbf3f0b56dcdb6f570
SHA1 3fcd6267de667d533bc519a70e89b6ea4e1eef8d
SHA256 7fa6cdb986f816f4302f48524621d7896e658c9939599979924bbfca7cc9f084
SHA512 ca5524902ba2397771816c4cf244f98af833a211b38a4154ef3ef578ebfd06bd71f163aaf3487de124b6590e4e9037341439dbdd21e1d8084249f1ca05f021dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e1bbdd7780ddee82ce82db581e60e59
SHA1 32db36f77ac7de0d9a24a9bd86032b93d500f08c
SHA256 e5a2c973cc8171d3ea4473a566be4b59116ba7ab8d17192abf7a0c1f1f0a1554
SHA512 d7783e9b210c9887788e5f0e647b590855ea7438cf53bfe388e5d0aea5c4bcdf16562a6f434836306b804982286228ad7154350fd6c3f86795aeea5c92b384b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 309cfe88f8bc2bd79528ac2dc034378b
SHA1 40e46430e8261fd18f86f9e80d74abe442b9db91
SHA256 cad7f16e14b8e5032ac371633c70c849ec4de5cb87d257d56b639bbff369d6b9
SHA512 4a8671672795d4d1e8fe9f2d45ef8359ba0fa4fff377dce4a9038fe43fd15c6fa17d802f529f5a5871297e569a48fab54eeb03c68a9d2abb26a276d1a5a27742

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69414953a4cc158feaf46db608c00eea
SHA1 8a76aa44ee37571d6dfcefe655445504d0e5bbfd
SHA256 050ab4d9819dadf039acdc202444898a9c7ca91daa47baa8b47ab63caa556bdd
SHA512 f1a967569c8a2a700ebd41b2ea2dd41d3b8846762187786338fde506f22f4ab26eae42574eec194a77d92bf872cce92561ba69b266913959e057d79e4d3c3fc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67fcd0878676f7b4664ce28373160b42
SHA1 4700714969e2c19de4b9ab996fc8303687ee6f27
SHA256 afdc89e190a49792759025437a5fee83954d691ce209ca3ed64fb034d39b7575
SHA512 9d713e423470e4c29eed880a7d351de7b2f7a338413a2fca2dce669b6619476165cb59afeae4aeb0d3095f4ea780e7eaef18d07228115c9a1788aeabe80ad846

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03186d053ea363a01818ac300872ffa0
SHA1 f03376b281c31fa60f03a97a8c1ca63dc04839b5
SHA256 717debb02317794d2f0218c0a617785bfb231ddcdf73a8d03a5e1bd385e309b1
SHA512 6ef98307105ca92c50c250febe3eed44aab31166083a8236ad7a790be93e24e4daf45a503896c1a6fa06d61fa799edb3fa681cb5e90caa6a8211d3e86d3c0baf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaf1d7c0348ece6aca2f43fbc93bc7bd
SHA1 84c62e6cd4e0bc1f5c434bdddbd182e04d670363
SHA256 d7ee0d81e11f764454441cda24ac35f064877036730e1ea7c6788666a56d9453
SHA512 9ffa9c8eea6ff1d15b9098b6c0265da05ddc5cc205392749a391dc46ee5ff6192ab2759280f0cdf9fbd74d6957891979f8239a65db6d6babe84d246769d9802c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50545736654f4a3d2797eb7ba97b10cd
SHA1 879caac77f89e99d56c6d1d8fbe23cafa1165c36
SHA256 a128539e4be997b22b3c3b68cb9e9b008ad9b761e9ce2d244b2e172fdfe85fa2
SHA512 ff93cfdc2a915a8a3851c9ab305334d7aba7dcbe71057947e8f610f9f5788f9799bd6653e0083577cee0b56fde908253cb276868bf8a180ff036039c296ea4a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 301e85f01dddbf947f026d6b4afa30a9
SHA1 00c0d7629da2d1be244ed2d63b9aafd122fee24e
SHA256 e6a3cd54d7b3d4f3463a17c1aeb70b958cc045f5d091f64bd10d2b128e57c3fc
SHA512 228bee019285f75e3142dd781f863d4387a57ef41cf9b1de868257083a75e4307e4f04f515fd4b85bf43aedb1b11008ecf1fc11d58d598d7b419663506a60751

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bacbfcd78a1b986c3861b12a6ec57072
SHA1 24e304b16c400b5bb062f0c79cd212e6d84c57d4
SHA256 28552edd6015a23e3e8edeeab593a2251fdbd021c0d9f6f950a25fd368d97262
SHA512 79aa72d65570b7b56393aa3857e6be68e5d927fbedbd5a164245a4c31041b27aa825b6c1c21a55292f99a2398e9d532cce15f873d1b6b7d61abc9697b2559140

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84f8c81b44a90a378a9675e554d2f5fe
SHA1 e3f84a8539124a47129bff2cf252c68aba1cf0a3
SHA256 2d2c11e9aa842bb2b4849c13a5ed8cb34dd4b462a0009231e0f7e691efc7c22f
SHA512 d4ab3911d7514931fdc028eb18e79946698cad0a336e930a14a35a3b5b96f7c91127416709a2560557cc82cc4925500e0f8c73933e4acef46a71986ed5813d6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55a3cb1635c18cf9cb536893c3e93fe6
SHA1 343daaefc96278f16bf98f73161521341122e0b1
SHA256 ab34c759a2f37a4d1cb0a98f4448366f12c1fdeab4aa615b5e3f50a37f77dc78
SHA512 a7750be63e7dafb2ac4448b3967d33c45096ed5220abab6c18d8b4b2497609b5d8ab27e08d3e4f9181a4911175122cfb01314f97358c17f1dc827311e636fb7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85dbd174bccfd7ab02d966984b9e146d
SHA1 adf5295b431c66554e566403deb1d7171b08e102
SHA256 0f4e4da2e8bfe204d47d504b43f63b160bc4aee5b1755731baec832c7697b082
SHA512 ef126aac08d87dd7f3ac9b8c0de4a09241fb15220c1f0b8df77cad84c5ca1b21eebc9e7e6ad004635033518fbc9ed4a397a50478df5f998a553302a1404cf278

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4082ee2912bf507298d9b9fa43de29b
SHA1 fa3d296be8a644df991e8724204f8bb2debff2bb
SHA256 7fdf52eac128be40efaf33729a63d59010d7a5a8976119ddbe05e42b98bb38cf
SHA512 61db3b4d20ac8dbc61f4e065d190aea76ff1c8e32aff46611849adc3ddae154107299320f098b2710364182fb6349d2052bbff109371532d067bdd5bb83723e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32f0524911e727cfbc58f28bb491eac4
SHA1 2766e7a55badce1bd13e85b2b0f09c4ecbf0db3c
SHA256 2ed9b6b510a357d7ca3ab67a6f999cee53ee3a0b22896ca5c5c34000538b5ae4
SHA512 cfd55673eb6f17326e49db23cafa2e5f4b743a1748f5c6c0378f18b8ac92ca5010e17c7d101d5c8eeba9dd7ff2cd2e34a654af00cfbb93aa8a1316d4886fd93b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:51

Reported

2024-06-22 04:54

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bkndqoposicmaluoi = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A85BD79E-642C-8EFD-871C-C255C742F71C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A85BD79E-642C-8EFD-871C-C255C742F71C}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e2ebfe5fc4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425796889" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{23FD8E65-3053-11EF-B9F7-CE289885E65A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323bf96752ef048b2eeaa11cddfc62600000000020000000000106600000001000020000000b45e1c747558e66574cba088e1e96f2c267271e27f0cfb8f7b4f0e21678e86a6000000000e8000000002000020000000ce46d6604d5518191551529f63c9c18353929ec8bb37a481262d7aead7eecea420000000535a087c84d2760af134ad62dce596895a5f81ec5370733ba4dc53cad161e97a400000000a756127359ef61efcdd0427199707f07aaaa062b168ef55b57034bab1f71d590c90e66730e5b6061236e96b13799bf7ebde534cf6177eb400b9c0a9323fd9aa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07233ff5fc4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4182193057" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323bf96752ef048b2eeaa11cddfc626000000000200000000001066000000010000200000001416c651b771336ddf6ab69b2c28c6dc148b706acc528e04e60e6b21d8571803000000000e80000000020000200000000f823b6b2e6761d030611809be437830ca732a4c73d67456f2bfe2066c34ff332000000096180ab045e9c7d88c5d446bcdf0385a231adf7522e0d8a5d27406158a93b69b400000007bb730ad38fe237aa68e023d5a1f1c0f3839179380e30a6d69fb5c70fcd76f0d7d06e8b890df9ce4846335fb01db63a7c8e0d5ccef31875a74b7796d29551817 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4182193057" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114335" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114335" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4199693725" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114335" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A85BD79E-642C-8EFD-871C-C255C742F71C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A85BD79E-642C-8EFD-871C-C255C742F71C}\ = "snappyads browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A85BD79E-642C-8EFD-871C-C255C742F71C}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A85BD79E-642C-8EFD-871C-C255C742F71C}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A85BD79E-642C-8EFD-871C-C255C742F71C}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0159711e38493359577cae469a1eaf71_JaffaCakes118.dll

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3164 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 new.snappyads.biz udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b6946ddacc19d914930b2ee8cd858903
SHA1 b3f7339d3c855422b5a3121842d7dbe9a017e344
SHA256 b1a0d4ec50df6b48de7d57c6316a7ce1919ae403125075438c4c822a5a0adf00
SHA512 863cebab7bab5d3df1c82a71ce79567d257cd57123de1583e8a9508be2a187a504f35fde48146f0720317c855c2211e61f19f4c9e539f7a30a5642aac5c752a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3e69b4f7d8b24e6c9606a99dcceb1477
SHA1 fa51b22048b9881fa9d589edabd597098c6ce426
SHA256 a8616afc4ac83452b293faeb861b299486ed4a881c4a0d9856fb55c877354db5
SHA512 6ec308d1d1ef5c5dce11d34ecebe0fc28f27154a7fa376529f5c315ddc63e0bd211cfd1ad42f6c2ab3a3d6da5b85ea004e20d7621430de45220c1df9055b550e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee