Malware Analysis Report

2025-01-18 21:58

Sample ID 240622-frgzcatcnq
Target 0169eb062aa14ef526a072ca0d486d41_JaffaCakes118
SHA256 89899221bf26c7d8dade38ecefc143157a8d50b18435d5bc31474f12ef67ee22
Tags
adware persistence stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

89899221bf26c7d8dade38ecefc143157a8d50b18435d5bc31474f12ef67ee22

Threat Level: Shows suspicious behavior

The file 0169eb062aa14ef526a072ca0d486d41_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 05:06

Reported

2024-06-22 05:08

Platform

win7-20240221-en

Max time kernel

133s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rmfqolnumbl = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2635333-6E72-E2F1-0081-B16C9682D04F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F2635333-6E72-E2F1-0081-B16C9682D04F}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{263D7511-3055-11EF-A304-E60682B688C9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006e0c0f1ac420644a7471a7d1a718f390000000002000000000010660000000100002000000020477fc353cc7d8e91065d7014f01df454a92e19ac011e8d70dc1ccf3338f54b000000000e80000000020000200000009ec5ddaf334a4180570ca56754a81959763e371816bf6bd3dfab9aeaca73a22a90000000192925f7458c66e3552bba116eb11fb43d773ad1971d422bfb01de4416708fc3f764d8329fca31b292e0898336eb8c25b3734bd186fd952c67dea3a7999aa046255865d0ac03e510575f3a89824bae8a36dce9e5d6a9b091b0a6bb9919f118d6e7d9e9586d918a9f094d873b7f81db307a40bcf3fb811c379b06a5f65e11d0b9734de08c2c9f0be3a5e80dea59920338400000000353714d7e1c56fb6d6a9be113589d263a81bb7a2b4027b187d32151b6a0faace95112d40428cb5c73ef77993eef2712e90e8972ea50dc3ddc89a79b070188f8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425194642" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006e0c0f1ac420644a7471a7d1a718f3900000000020000000000106600000001000020000000fbb0a980f68cafa343845e34043a3cece6aa661b19caf39c6fd7356f19cb56dd000000000e8000000002000020000000ddb62b38c7c3fa86f9e6ab3050b4041b0e5084a9f5a209ba228fe4837d7792f920000000213d3bf28610505be2fd2be0a65b196ee6c457d4a477ab4b06a2d91eb4bfe8e440000000b2678fb25eb0fc30c66ed5883469bc02875857694b6acc20fd5c3e48b5eb3df385573281034dc21d05bc8b2227a240113120240b304a1ef917d6fbcaa6ebd29b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d569fb61c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2635333-6E72-E2F1-0081-B16C9682D04F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2635333-6E72-E2F1-0081-B16C9682D04F}\ = "cpmsky browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2635333-6E72-E2F1-0081-B16C9682D04F}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2635333-6E72-E2F1-0081-B16C9682D04F}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2635333-6E72-E2F1-0081-B16C9682D04F}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cpmsky.biz udp
DE 185.206.180.161:80 cpmsky.biz tcp
DE 185.206.180.161:80 cpmsky.biz tcp
US 8.8.8.8:53 www.cpmsky.biz udp
HK 172.96.185.159:80 www.cpmsky.biz tcp
HK 172.96.185.159:80 www.cpmsky.biz tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/820-0-0x00000000001B0000-0x00000000001B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2FE9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar30CB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20cdc8c38534dc35cc8b5f97a045bf48
SHA1 ee78b2b253b0e7bf398244ed657f330f3b7647ff
SHA256 c839251a1ada848255b28df97d1aa7287701a343cdeb763d98c66256d098cd97
SHA512 7edc8fe4d9e1b3e846ef024c3b2e98acf917367ae77e0d143eb536399beee635152c00223095b62b9a9095696f399bba8d9acbf1a510129754c869156a7fae60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 566e4e90acbc3f5a37a1e8715716ce00
SHA1 9e225cd1b08e96fd7f587c81556ce09147414e4b
SHA256 d4118bca401bd94cfeeac6113aff7c87ceea2df4c89bfdd31b1238ab26e459e3
SHA512 45f320b21607e43a2f62936521894bb5623a3ac55fabbf93f23d8818a0679a90da0d973662e8e0fa50699f947f744b77a7725099e0047a5a4cddd92af162c4f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b593e3059a99aa311e9fc6580324412
SHA1 2f07516efde52507cc8a45b8778f99b116f57ce2
SHA256 9e4d85b79124d9bfed48452ae766ba6bd742180ef2d32b1573d38415a04fbe6e
SHA512 e2d81567fdad1326c936d73169bddd735eb9a53cb7ec35d846e87069f2462073c730e56b380823bf17f65cbae1858ccb4fe3fac5bbbbe99fdb79209c3bf54f2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 896ba40577e2fc9ffce45d401373f47b
SHA1 472ea005928a223e1c48b9e2486380e539785ceb
SHA256 5ac9407277d4a90444900b34f2339ad1da3a3663558796d84b162bf935e4e33b
SHA512 0d788f8062661919afc2844ee20c953d61c9410577fc5ab89f8b4bcf1a9549f56d4673fd67cd8a97c7949998eab9a4095183c722c1f1da892a2318f8e3d1deb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91a7c91ce821035f67f5d748c4f8c3a1
SHA1 a8e00b519b009e880bac3dcd877df7011e133946
SHA256 eaab0887b9ca4d9c64b672f97dba1555ea94a5cc3caad21ced09500f39c2b283
SHA512 34b7f8102b929db0e4d0fdcc2376e8c18f27480c4057dd37b2bc3d64edd21899df2d7d1f97d56783cab92733684dc909d799a0fbff3fa4f110aa457526272bb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f50d38431221c6b857705c2e3b92d54
SHA1 b74c1ddb5bc86b053fa46e57a5b325ea47f51230
SHA256 28912ca835492db470811e6e9209023c491bf03fdf2c030ef5d02f8aa16eb747
SHA512 e3c1645fe654f92de76d2d38fc668591764d78f112f3b1ac8737b611d4c573671b18956abfb7a2fa06dea86e8a7cdd0d949fbaa4d653567e2fddcd11dfb35a3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f451d4d653e5b89bcd127b12c6620a0
SHA1 0c6b436c33248805b517db79f7eed91afb78c724
SHA256 25bbbebe4bac5a53e6147bddee1a6b9aa2eafd899932abcbca2d85de300bad8e
SHA512 7d490100903d192ebbbf49f4969d581e0ba3ec1402ab15197b5c6333ab7f4c00c58cfbc7bee5de07d479c4e566247eb7ee74223c547eda3d0205525c078bd0a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdad8dd05818281572160e79d1253b9c
SHA1 e838c413838393479ad54d10048d7c491718f1fa
SHA256 dbb89c8ff660eb5cbd32cc6a7a405709c47c6103cd25a8b01bbd11f5e8d75150
SHA512 d2a10a29f313feeaacb6b7e7d35ec8519719a2a0e96229c77ac8ebcea222c0ac3157bd5815abb3ff4f53634ec394dea7fcffae4f81aefe333b24dd18d62ac273

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0adefd815791cef6008b825d2427f4fc
SHA1 52e3428387b99d547e12fb1fda657480fc358141
SHA256 aa52d0d22e1e6676a0fbf1fa0ee54cf114ea06438295562b48656f9a7772df7b
SHA512 2b0d54164cc45a2eb553e1c4ba02e0b30baba0461382d4c2dc3207d3cf6c9c1f0effd989c42e9716bd67ea81ef7a52863aaf22b2703c08f98f8e91aa43ff3995

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7dee6b57b30016627117f11759707652
SHA1 46f147c37b4a248b40c21a6b745ff9b0646cdfa3
SHA256 ed144c2034da484a5956887336116537329734dc45a8b3b6703690a596130052
SHA512 61dfc1524afca424ea200b776face05e160f5ef072db55f72bec1f03a35f9adf80c6157dd7d54b3d11382e406f8bce4a5ae005547e27848234620da3173fed73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 030576b7207cccbcd2cbf6df138cd96d
SHA1 f5d8f4f6f431ecddcffb412720c1b1f35081ecb1
SHA256 83ee07d2007c73606677e8bbb0e6d90561883e4dec5c15df070b7b6a9a69d079
SHA512 454854c7a4833b412e51c8e02a4dde755787badb141f7b149c42d1733c3dd4d5d620e3136d8eb701053d6d52a17297fa8021e175aaee4df2c1a977c38d2a07f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dff46cb33f7f73ba5ed1e9783447878
SHA1 c6a68939181054cfdd2e647c762d5b144f2a154a
SHA256 994714b4c27e7c59d96398610bfaaffad2e752522461d73d966859ee76bcfe04
SHA512 920272f0a0582215912282de69ccde77df26b1adc115a193ba84d47919042fb838f18f5486146ff27d7ba7e3f2fd224c36c643964d5d9f2d5f874ea6adbb3588

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a90351f40f73f1d9cc21fa4f43e26dac
SHA1 5388e6093855bf16aaf6e623cca55a8de46cf268
SHA256 751e649ff9aefdf6d8a198c6a46f3b2c671a18595badf510d39ea41551c415e6
SHA512 eb16dddebcad0c65aed152ebd228f22df4c4d416cc45f7c32d37fead3e2a774ee29fe065ef08480189fbf67e296d110d5cda97a626250736cf67750bf3a1e506

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a158f3ebe5edb4ac9eae9fbd48c2aa07
SHA1 9fff1263c58f3035450b6ae94183d754367c6864
SHA256 e46683964b3362ce4cab18a6c4f55c0d5208103d7a60c5b4f841e89b66aca048
SHA512 2097b6f73c8894fc8972ff65f9975f88d58267e46b005d11fb71342bc906e068c36a06a6299d277ae0b7c70ca635ca15b7f267bc3446cde0f50940ab04eb02f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e71d1aeb5ac05214457542c1793d0537
SHA1 74bf5c677ff671d4ec1b068291579eb1af5d592d
SHA256 f12c674559b879b5c7bd4f1069d9383b383f50544b8830158cb7d8905e40556c
SHA512 85e53f6ad74241ae043fead427c0dce0df15b91635b2595dd71f6da15d967d992fd6e3a580f55c8639afb44d6097240927fb580300bcb9bdcffb21549fa41dfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6b11a34740306ae312ce39647be9481
SHA1 c9ab3177599c69d9e49806ee73e70675053abd84
SHA256 5a3d5e095bbf7e24d4b3e77d5a0cd12a80034268828e3099d820fc1c20ae3ad8
SHA512 182996c362b39f98f87995e8b52893b42f83f7dfd57ec864afa17a759899129135eb12d6e29502ec76260e97c6143281f882afa57750d299d773d74489d17150

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 033f1d1d2f526f0521de825204f187df
SHA1 80a7cd369f490ce0523a41f7dac81a59a2cbf93f
SHA256 4cd9dc4b26b1bd6da6a29cce9005c9e321c6fc8192ce49739451f1f9fa92978d
SHA512 7bb3cb1cbc517636990392ee26faa3123edbbb269d7544a7f09d67c53816def4bd2c64b9557ba0417c1ea8dfa57e5e4460a2d3d03d70939362c8536fc190a502

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8b13adc5e1d4e08c39bc1aa2226c2fd
SHA1 4a60d71b9547ac575ed94b0cc95bde8d3c773067
SHA256 40076594349c1f825d7b65e5bf38c756aff5db5067099e8bea5e6c2302fd00ef
SHA512 2b001f26d60cb7180cac38c87800cdb06b3839d2ce05d301163a755dbd6ec68905c948ad83abf7c33b2a311446dbc3850abff7465e785ba308e737be0b625c82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54097a955f5df86890d5c8e419db6c97
SHA1 2f3b1db7884f04d3b65e070aef3327de1095d90d
SHA256 32016339a6fb7550b849b5af43579075ad0637c58fccd40c97fe6dfa1cc63e8a
SHA512 9f839e714e0c3dcf4564daf57d671f94f42f5868dbed7381ad7150bc06c84c945f695e3700c9a0368decba269e62b3d606cc286361f71fbcd644798bd0d04c48

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 05:06

Reported

2024-06-22 05:08

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\liwazmcdkyebh = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30627cfd61c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4234978747" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403675fd61c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114337" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114337" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c837400000000020000000000106600000001000020000000b19d8b3d5aab57c670eff23eb221c8632d6eee5d2dcc92df0d95df2a7fb7dbc9000000000e8000000002000020000000b64b735b1b652eae43bdc3e1a7d8414757e81ef980d83bbf00b29de2629fa9832000000041873c6bb7fbdc41f3fadb4ef137aff10ed3ffcfd946ffbe2f6d25d48bf1e96640000000e8ab7f1732954d0f42811f9db72aef63e6073d72acec3ab40addd0e3add0ab9b33c986b672bb0d9bc176d96efabf0c049a3dd1799683016e7ac6faeb6bb9b70f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114337" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c837400000000020000000000106600000001000020000000f857dbf0c32826e42659564e2b541d69eb230b417a76e7052e78b398169882db000000000e800000000200002000000008b8a6135b2afd84c5ef9982a24f9f6e95c1a75aa1e8bae5a66a4a956e0294942000000040037baaeb1c6280690f43932129f9a9acbdd996b7a73ad2ff36f5a15d638dd84000000089fe93ebaa86cd12e0601d90ddf205a5b70bbb88bf03abcd090f1c30b4dba8ff078b62163f7fa83b7997bb594d40c7c13dbbf842741bcc9110f91d08189325b1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{280A4231-3055-11EF-A084-46FD0705B728} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797752" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4234978747" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4237010264" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0}\ = "cpmsky browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBEC6D69-E377-5F75-0EFA-2D45E86FB6E0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0169eb062aa14ef526a072ca0d486d41_JaffaCakes118.dll

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cpmsky.biz udp
NL 46.166.184.111:80 cpmsky.biz tcp
NL 46.166.184.111:80 cpmsky.biz tcp
US 8.8.8.8:53 www.cpmsky.biz udp
HK 172.96.185.159:80 www.cpmsky.biz tcp
HK 172.96.185.159:80 www.cpmsky.biz tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 111.184.166.46.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 159.185.96.172.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3e69b4f7d8b24e6c9606a99dcceb1477
SHA1 fa51b22048b9881fa9d589edabd597098c6ce426
SHA256 a8616afc4ac83452b293faeb861b299486ed4a881c4a0d9856fb55c877354db5
SHA512 6ec308d1d1ef5c5dce11d34ecebe0fc28f27154a7fa376529f5c315ddc63e0bd211cfd1ad42f6c2ab3a3d6da5b85ea004e20d7621430de45220c1df9055b550e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 abe44ed58b1e64753da11064ad35f06b
SHA1 a0bdbb04a4f5ec7c6cb99092322063550fa55688
SHA256 28fc5e07cf975bc75f4c94a62827b8b81b7603957b15445fdd9cd5965856c2ab
SHA512 ae858c21c1cc97f5ec04e479a1bf3e5682a86a79ea2d698f3919aa065c2cf8261e33e6bbb00aa8a01402ab67778a1b681f577c6f2752be6a6201c19590cf5e14

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee