Malware Analysis Report

2025-01-18 21:58

Sample ID 240622-mgjthstfme
Target 01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118
SHA256 19c619da64d79c47eb6660bbf280604bdf51e1855d102033ce36d469207f5731
Tags
adware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

19c619da64d79c47eb6660bbf280604bdf51e1855d102033ce36d469207f5731

Threat Level: Shows suspicious behavior

The file 01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Installs/modifies Browser Helper Object

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:26

Reported

2024-06-22 10:28

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Explorer Bars C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{88180462-3664-d40e-25f3-ba7e4c5d817f} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{88180462-3664-d40e-25f3-ba7e4c5d817f} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28}\ = "mysidesearch search enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\ = "Search panel" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3e84c4c3-7996-55a9-e43e-cf5b69be3a28} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88180462-3664-d40e-25f3-ba7e4c5d817f}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 1932 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:26

Reported

2024-06-22 10:28

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c397044f-b3e3-8574-41d7-585b79b95f91} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c397044f-b3e3-8574-41d7-585b79b95f91}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1280e811-f841-6e74-85b6-d9ffd48f9e99} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c397044f-b3e3-8574-41d7-585b79b95f91}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c397044f-b3e3-8574-41d7-585b79b95f91}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c397044f-b3e3-8574-41d7-585b79b95f91}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c397044f-b3e3-8574-41d7-585b79b95f91}\ = "mysidesearch search enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\ = "Search panel" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c397044f-b3e3-8574-41d7-585b79b95f91} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1280e811-f841-6e74-85b6-d9ffd48f9e99} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3936 wrote to memory of 4812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3936 wrote to memory of 4812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3936 wrote to memory of 4812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\01a40cf25f5b7610afdd66f38c57643a_JaffaCakes118.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A