Malware Analysis Report

2025-01-18 21:54

Sample ID 240622-fkmk9ashpm
Target 015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118
SHA256 a2375c9a8806b6ef73550e00c3fed1ce2f689f33b13154187a51757cb12d0a51
Tags
adware persistence stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a2375c9a8806b6ef73550e00c3fed1ce2f689f33b13154187a51757cb12d0a51

Threat Level: Shows suspicious behavior

The file 015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Installs/modifies Browser Helper Object

Adds Run key to start application

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:55

Reported

2024-06-22 04:58

Platform

win7-20240419-en

Max time kernel

120s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\itmuiklqktht = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{819AD7B3-6554-F35C-7881-27968744F5CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{819AD7B3-6554-F35C-7881-27968744F5CF}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B7B42CC1-3053-11EF-91AC-F2A35BA0AE8D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e067758c60c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000de666904f7f45e1e0288ae78e3cfa89a383606d6de5ef6f87187cafab06c7232000000000e8000000002000020000000c203c1988ca6b5f02ac0e140851acaf809be8036547a51c9facf871a400f943e20000000ac9625b9d8b289aefcc9e3b370cb71860e5d62a046f2335622032edb46aca2f84000000024ea64907e221f1a58bafde28bd931b56582d133ba79b0830aa65b0c33509b78124e5167a281bf8761874fe4293f485257f647a2cc177a28130d65b0c523174d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425194027" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000342016035ca421a9a81a15f99b4d5dd1ce12c60b705a234fde4785f40d2951fd000000000e8000000002000020000000cdad9ec9e5ab63e11888449f7bc2d7364c5bc2e7c5eabe6ece601432e735790d9000000088b5475745e0456eb21ad862b031591ad9e76a0cf6028dc3419a16744493cca5cba391a2b82dcee3b4d32df03c79e94689e91718546f5d779f6bc7412c9ecf9c89969c136d37117aacfdac1f04025f7dfb7f61ca36acd03ba3aa945cec6fdac653e420fad6b926d8c79d8ec20bf1fd7072877e11a3ccbcf685740d689804e20f80f2d01ffa7aa8e1c449ad53ff6d7a9d40000000386491a18f726e73478f6c2696d68e47698586e1c602c1124732cd6c42e9865b58c290a5292c8edf8782a67471f7d3bd5fdbfcb860862b1d91f305bedbf7ef10 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{819AD7B3-6554-F35C-7881-27968744F5CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{819AD7B3-6554-F35C-7881-27968744F5CF}\ = "snappyads browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{819AD7B3-6554-F35C-7881-27968744F5CF}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{819AD7B3-6554-F35C-7881-27968744F5CF}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{819AD7B3-6554-F35C-7881-27968744F5CF}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 new.snappyads.biz udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2292-0-0x00000000001B0000-0x00000000001B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab342D.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Cab34AC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bc9194019f1c6b4d53cb9153ca2b431
SHA1 5188ba9cd3c0ee6b04ea05b7690932443d53fc48
SHA256 c2fbb9cd2cdd7e93f338990fd232539f73e84826109237ce892295e18aabb48c
SHA512 61738ddd261ef656ab0fd8e3d41ec1a0238c559057409433a1f43b5d6a3a3c8321257fd6a5391ff3e58d98088dae2d3df6710d499b6e0f6b9fdf40a41261465d

C:\Users\Admin\AppData\Local\Temp\Tar34C1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dac0d1c998e3df002c54efb7d22c4bd0
SHA1 b51811ddd89407a3ad1a19304ccfb533714063cf
SHA256 ca76fe9dad53e262da954713538d31774688b16187b896ce139693217a3b0339
SHA512 1ed96c6920d95d9804e190d3d1e118e61d26e01240854664d2e906c673fd30d39256257577cef68ec8bcbf71480914bf0093f2f96cfbe17b00acdcb7346906dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d4fcc0ce67fef57893620fd56956d3d
SHA1 bfbf42dfe42e4d7346249ed7f2b2f95097e82c42
SHA256 d83637fc428a6575d690835d1bb862ce16c1ec1897f31ab505b6f237f991abeb
SHA512 7175f2082a781a7910eaa6910af37b408ae2e8b8de2ac0cfac35913b5eee0a9fb08fe327fec13bbef5b7103c9c60f6dee8da8a0aed2fc4d746543a66674f95f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 546348084db20f703e37d798f3298368
SHA1 1c69f0857c9aa6907b97da6264ca0f567cb0bb23
SHA256 b5a916bcbbacdd7480d1ad8312ed52c611945d2226ade025f8d9cabe6221f5d8
SHA512 996b41d5bc14d918e734bd49806c6a47266a68df0c9c1c38504dbc2090556b2bcec5aad2eaa19ee464017760e676b96945e9f03be0434755fac0dbb4e6822c0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fee9493b27d2717227aef9e717491623
SHA1 30867d60bd55995732f6dfb73ed7126860e315ca
SHA256 a74e588457920a29f8945a36c44e42a42f3dec5ae3ec2e1fe8d66ee7518b3094
SHA512 ad6e06c7e32db1802d1c44318b95e71854b67723db16a48adf53dafa925141a1ed5a4d683ab54dc38596348c429f35890a3c421a45fe2dd4da6ffa9cff0831ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8d8f2f3d36dfb2627f173b6e36590f5
SHA1 55ff81183d9d3a440c7b541e0eacd41ebb37bd38
SHA256 fdfd5b5beb8ed77450fa9180c509add4d4b838cd7f71f61d0b93e90f48f0cf71
SHA512 4ff0b7f1b3dd1804ed87cb34057d5b2562add382a4326e88ee5b65245ebd2e1d408410298c286674db0d414ca2764e60b75375054bf6d6138ca78b4c3d62d044

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 364f411ebfec268a3ea0c7bcdaab1903
SHA1 9eda61e3b9e86a2ecd309857de40318565692a98
SHA256 b90f39836faf609a8846ffe1f9e8412de88fc5adf5988f93bba7b68f3a53d6fe
SHA512 39acdf85dbcbf06f059aa114bc4ea0c2b7b39c1edd10d1427459a482c9e688c68ae3016c46a4d12aa2a1a9757ba017fd2f46c002d1984aa225f3040de9d6bfc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e530f96c01605a61597b32c8853a763
SHA1 3ad49b9121b220d2fb8d3252614fcc4bbf31fce5
SHA256 1c1dddcff79417bf113e7b7054f53d7d5a51543c0666d080444d94c9ee167908
SHA512 84f9a84987e60e113ee624aef752edce30fefee724ddc9ba642dac8e9ef1fbb6c1b4e7791ed0c93c95fc087de394314104c8d005f8c0f3d836215f29841f2f20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59156d0db666dc40cc88efe389bc5e71
SHA1 7d4fa4369aed93ce4e16821ba5503e03c40f1e3f
SHA256 392568053b8d90de6471027dde721899a76800d3136206043c56f18b608eeb76
SHA512 f521500a0f33bbf469c87d8cf823fe2c274a34082679310b11881825feab3dcad88486b77b88990c7b58cc8132c22d3b83af0f836b6150e8f9e3b6010462f2be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef24b950e39a837c2d8f0eb9c2ddb874
SHA1 6ce95c1b4d0fc0d72742175499a3a8a20d97487c
SHA256 52fca8d04479de89b3c2e0870ae2cd98b209170fbb58cb40acbf081cb20f2a2b
SHA512 2edb2eddd5beec5de60dbd569282449caaf0fe10930a7ac56630452467973cf86d0eea7337742602f6fec213160a681d636dacaf8457d1cc429cacce6422ef6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3095f54d3314b04d3b98c52e42a95a74
SHA1 fd283609507cdb86499931f63c5b2ddbdf146d54
SHA256 22652be3fc05a275a5eb03a484830a54e74ecf9c49aa59d0dea71f698ffad80f
SHA512 8ec6b9dbc2b760d4db575ed4cd705e4592472b484592720e6891f438d61f0a4917cd748d6c24f4e06f2db402e63916b2811797b1ce18be8f397bf7d52dbc0e8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3d9b0d91ce788dc86088550953e6632
SHA1 db24f7322e7110b3b92d8f60c558b82a6e6e816d
SHA256 8824ab0d5bf4cc837c705faf7ed9a9a9e3b1f1a6d905862bf779654bb7c62086
SHA512 a80d357efe91d8095e283b2c11d85d5e33f55b01840a40d6d816bb2cfc64740cfb8a6b2fa54e17559ef7eb28fa45d75af91330356220c953e706f0d5aad76b69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee1e60a13f6af31ab1e6365824a0610f
SHA1 d6893ab42bd9546409aa3aed9b83d6d85317d470
SHA256 884e913108ac58c2bb26f1297b8722aec4f3b20187b6f64c560768641d7e7c4a
SHA512 d33a4d6e609f57e755c234a399cea8db7e86804d45f89fcb26877ff106bb419db0c0e2de27c072836111bc49ba8179ce3202f864cb6dace856dc3375f47c58f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fc0b0fd5353a5d36d84a6e7d54c85d5
SHA1 fd19671944fa38ad17a2929afdad32d3a4e50d76
SHA256 ecdfafafab531c8f8bda1bb0b010629f2ad6a4988b3a6518edc6879c4d920b73
SHA512 241eeac949dc0ddc7f9f778c9c68f4cf76a21b6cd85792f20b3a21816f3ec0fe6fd2b58cc80aa327d7dcf191ad39c163c31fe58b833e940ef18acea356c5864c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 817979a8ff5c5131e8d04609d2fd36b7
SHA1 1b96f334128707c56647ac11d85f187de407c8d0
SHA256 c7c67eae0be9e8b677d931322efaacf8f2c5093ba4643e0f459173e7495248e9
SHA512 4b2f34b8caef25b0580565dc2293875f7e49175fbb845d15126caca698789164ed5341f64b8ec6822ace4e61a73a61a702f5dbb1f06673e1ab0d4b06f0c07852

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76a65bfe3b72683b5dacd66c3bc83539
SHA1 fac98058e41156b6e491bd6fedf1f241c9378e37
SHA256 46dcff868e7e583cb5abffd092a09268ba65b259ee83df56b820cb126f86c5f2
SHA512 4549fde19a760dcdcf4aaa13666b8f3aa63444becef5f5da2a6d57726521eace9d5734007cb474864a427c98e546f783954293002d8825e0e9e004a4d4bc18ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c1989aa92fca17c8f2b3088be4549ec
SHA1 81474e9154d078377cd6618022f8c1c7a8796bd8
SHA256 c9e1e65fc1fd8ad68189c75351d249c95672abbcf9b87c8073ab636054da5b6d
SHA512 1ad9d28d09e47951c74108e8dc3694d413592f0f0529e6e9d48cf7dc40a38eacb196d47032e05a1aefcc454a371087bf6f6dbb61790e43a34b3a091aa52d4afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e168621116e4ed6071b09142418af59
SHA1 07a7b261f321bbd6cbee3cdb451ace0b9f3c1aa8
SHA256 f303a45a1a6d7b041d33975304ad5d1477980829ceb4c5d2ebbe8c8a4d99280a
SHA512 bfb8ed17e34d1738a8e1be4e822b66ca98a41d5b26cfb7a4d0ace31e86643eb8b8f0380ffdfcd004deb7fc3cae1844beb3e4517d97f328c5c135599cdb3cd442

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54d840f77425744652b8187e2d6a559a
SHA1 eb9644176ad4de85e92c20c279803c7aaf10de5a
SHA256 0d0771ab08274be8cd4d68e6a9697f9682beac158189bb5122fb4ddeaaa01dbb
SHA512 05c289b285bfd4d256c011245379f4939324740a01af3f43c1c4d1cb93b7d4615118b15409090a8333d939463b20d26a70f3bf7efe0fc6259e0616b95b5115d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:55

Reported

2024-06-22 04:58

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhkyncyzvoiopjhv = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425194039" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B85C9C25-3053-11EF-BCA5-F6D93F980912} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000007b0da9639adb09aff3ee49eec50cbfb0f6649321dda1aaa0e0b7cc61cf76af8e000000000e8000000002000020000000c7650179063e336ae173e116c8888ada981d168ce23cebc4fbbac27b0d18a2b7200000002830e2dad24b1b2b8d2a0fc5701d8673d9179d1940d42bb52662e8cff945481240000000e435649c3a7342ebec2ff42e51e811e72af8b5341df174e8ebb2d2a241633e4158147c786f777558f2bb888bd751226754cd1e8687bad4e325d37d44a4de84b6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000004e9856110719ed7675dc99a98b03db280fe64c0abbdcc544d9670e3e9cd36137000000000e8000000002000020000000c142479a0ba0c2444519090da457a9d38defacd38d251d33c3e766d07ef60b8b200000009ee313f666e05afceda9b8410f6e41ab8b2a2273375c9c6b2feae4f2f2dd6d25400000006b6ecb76215f1120438538a3117eb3956a7f2f68f88a87c207cbe2c69e6d6ac673b15aa9193e9851546cc6cbb53373d1656fd30d242a39d1888e1cc4a97802f3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0dede9b60c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0042d59b60c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384}\ = "snappyads browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B98516A-AAD5-FCB1-6AF4-A4D011DEF384}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\015e45e9239d88ffd28c088ac5aec3e9_JaffaCakes118.dll

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3172 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 new.snappyads.biz udp
US 8.8.8.8:53 new.snappyads.biz udp

Files

N/A