Malware Analysis Report

2025-01-18 22:02

Sample ID 240622-myhb1svdpb
Target 01c2d60cb204dd28d5095041c1402f08_JaffaCakes118
SHA256 82a4a02f9d0c220ce963dbb0751f4aa3e75fa7fc4b2df3a8fb3f42812f19a20b
Tags
adware persistence stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

82a4a02f9d0c220ce963dbb0751f4aa3e75fa7fc4b2df3a8fb3f42812f19a20b

Threat Level: Shows suspicious behavior

The file 01c2d60cb204dd28d5095041c1402f08_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:52

Reported

2024-06-22 10:54

Platform

win7-20240611-en

Max time kernel

133s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\idvkbsczioxsdabjg = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000002f6a4d2fa4c960e76ad09a42479ace39327f6f31b671b1874f04e76502ae039d000000000e800000000200002000000090834f239d6794eccec391f5bc83150972f9b9498417a6bdb40071280bac143a90000000c9be3eff45c631944c4cca08b459d8ed989a0e3969b872c484c7392ca4681717c35f9c0db2f1acb05194054e7e6560fdd5a6f363ad21287a0e449a6bb4d00f7c3c318a11bab217c773d4941e426268e7f55ed8fcc6a734de144be6f7d21777ab005cd6df210a0224b9ab7a39ad65d492c1617e5b1bf5ef1d4e6bb1c15f71a71897cc7c06c0407007dbf4618ae0e092214000000078339ab9de20e6783da920aa0a511b925ec90e455df899d425d950f82515063948531a0271c6e967ab695e44e06b79a79c1c738cd78acaf492a4f5bf201e69f8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425215405" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c0585592c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000000939010e0e15163f0942477d0ccdd4e66cce0e08cc84a300a6b35598f196bd18000000000e800000000200002000000036584b7bec2b4f92842c76a63073a7f5a43458a8c02a4b234445c199cf031514200000001af806a598c8f782b1bed51ae7dbd91296255c30b73ec3ebece1bff9aa7dd1a7400000000455a72f8a343b778d189ee9dc6ccbd971871b07f69e1304201b69188f392f60434162753ec04b3aa9118218a9c68dca500da932dbac24dd7413d45d3a224ef5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DFCE4E1-3085-11EF-999D-7E2A7D203091} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D}\ = "solads browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CDC6F03-1ADD-592E-0A42-B50DEC57D20D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1.solads.biz udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2900-0-0x0000000000180000-0x0000000000182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab389E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar394F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72a003dcbc4fd5a810fe59390644bafa
SHA1 5ed097d6ebe5205f32cddac8e899979fdc596e1b
SHA256 94ef97a4beeec7e230a0a99c24d2459550c317bfa94f409431c396a5f58dfe00
SHA512 c235de1757630ef338d7d12b1672d77797b5a5e7802a30a4812a4eff1954cc77864f8012d20ea85388d2d105e0aad14ec62d7fe3dedf6734ef288dbad7f9c4af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 920ca606c734e13bef5149ba3789cfdd
SHA1 c785503c3aa80237be4d4c63e0742303ea424c9f
SHA256 2b16fcfbab0680251f79e4205082110d6166f2f4280179e841fe75ab43bfe34b
SHA512 0f918023322561b0e113180501c56765c743f8f9c1f55654dc05bd2af2f8cf8017bce814e47b8bf082635d84abf59047e89d90dd9069eccead1a435596ae03d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58f27f450395d581776fa047dc484419
SHA1 8beb94c1a7fd2eba1458570019f2164a579287b1
SHA256 6603717f444a5bc098fa73f3cbed00e02cb868c2b09d793ac4d4b77c35d71266
SHA512 6abec60e1a3ef25a2a8e20c99b1a9d1dc29ba6b4144c319ea29646cefb768cef8dd8dd8c4c561860efe8ff25d51c28126f7aa9632cee0527df9f9fa32be3a3ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24ca7bd137e877ea46b44cf2774242f9
SHA1 99ef17d708e49ebbb39f998cbd8441d0fc683aa3
SHA256 4622c66bafcf568ddcdc12da4197215543a191225aaf94e8cc3816027b7f0a98
SHA512 23eb62ee1898e91bd53ce88d6a49599c1c8bbdb773326556ed3195b663ac66b9544385edbbfbb1d7f503951b84f361a7e122b1cfc9f24924dc18403726fbaad3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fadc0ad0287771ea33ca3e989beba763
SHA1 62f7491e5b9e7b6371f7842ef9751be7ad9539b3
SHA256 fae68261c5fa0ff37174c152e95408f1ff5dbbaa1712bf7743b88a0945c9cef1
SHA512 abd6c187ca6290a6007204025f30fffe4f1b59491d5ed26f4dbbee4552625639921683e190562c079039ca9fb1fda0e3089f88f486c238b0a54ca39e5bdd3e49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82482750ac40133072e364cef1cee1ee
SHA1 f07b59292911b5611b499daf073f92f4d1362764
SHA256 505c991ca439b6ffda4acbb403a602ab19abd18bca4f177d82da38ef8b80e564
SHA512 5b09ce52d54fb6a8836ff6d2a9fa73d779d17a53e5c9df207680ff5f7e98b38a894f658281fd2da6f2f00cf969847b0ce2d666938568adebf40e29e21a3ed3b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f01c15bf61919e55a685f2498021f88
SHA1 6e4706101b2dec384727b412c24d2b8b130f845e
SHA256 68dc06f1e0db0ed8e3d99c3ffeb11387ae8a2abee3c16f0d92831538d941ec71
SHA512 7636797c1167d762098e35ee0f6e68afc0f319d458b3fdc2cb32e773c419275cab1a8de6cc55a39b2f3ed7f6786125d681ecbac025a584bd0d3297009fa31b53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b071a2774a485597d06b043fe80f5262
SHA1 c91292819092729d888a3e229a4e2920688611e7
SHA256 98af85b2080294af23703d7d53ce5ef83b92feca461ba081d5913f9e4de19ccd
SHA512 15762c6c24769e8b304d6ae8c7e7e32f6c34ae7eec88383a2a511e36a16ff223bd61599849fceaf877b024baadc50816a14f2172d2d3acfd610f94a0f8afadb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97eea200b8b3a3dc503d6dd6de106388
SHA1 376e93a408c36e88a88d747f2055b1d09114500b
SHA256 d975cb08261c0fdd2c897ca036dc8406b015bacd21fe3b8e808b86f8b140a7ce
SHA512 b1d2a9783a5e2c7b5d1a1655820a6137cfa8bc698f1082bb89c5b4a6a4255784a45ec2273d3b9d3b10161c13d160bb826f265fe64db8e53f4a2adcdd952b0b76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea35732442aba05e4c38db2a002d1674
SHA1 1d568b8201279e32835633659570db9f3d127347
SHA256 aac54e45b3b2e509c69f5465289579554aadf75e0e4a9413a2fce7e5a89474d3
SHA512 e99525537d0870dea425c5b98c6f23aa840b67b71deea4d050b437b2902cd6d6fd71be6c55492fa09b3b33918383b77ef4be3519e3ddae8abb85bfebabbe0b95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74d5e6ebeac3ca8e96950012af27f417
SHA1 99d608b9c53427922d986447ca483b7665e4afec
SHA256 84e9495015cfef1f2c88dee87ca8cbfb428c98e0f4a7b577dc9e0dcd6990769a
SHA512 041c4730c49a3403a9440fdfd61d7d226b4ca33b3c6dce71371c1269fff94e178a080fa23bc2645789d78dbbe86dffed8c8b008417bf7d2cadf3325d450f631c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f029cc7a80299011fd5a5b4d722a831a
SHA1 ba0e4aee349330c2f70df814af0d11998eb4e0eb
SHA256 1f476c03f31f844d51e35b902e5c984c1cf27ec1ae872a15f986f8ed1354c7cf
SHA512 fb3db202d67c1f5a95729a143fd13be2dc71d4404907c736f4e9acb07845b69baf29a24b51d42066d700bfe7f4b4b91ddfc069e22528d1833c470f40db80cd72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9726f99225c0b5d0487ad2612abd35f1
SHA1 061a3837b82553baaccbdacee2b0f5fefaf776aa
SHA256 a27c99b66a9f2b63f40789e1a2738aa8a48d1936eddc411e6b8407a884af610a
SHA512 d5d1df4c7e901d4326eead44e360e5fa145d618fb29e7744dd1c600bb9be814bc5a7ec9a2806062e0aba6adffeb1f5c7f0592a23867615d51a8468ddf120909f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baafe9516028bf939385561e6380d523
SHA1 042b35d3f0a2173028bc855219b7cd805f29aaf5
SHA256 194b1cdda3472bb1a5e337e91daa0e315c93177920ee74d25e8ff0eb22473cb6
SHA512 1247234fb61d4158b784b4a9778f20f894a58ec788dfdd2dd72a944abf4c2b5fe2d2919012b3f095890608d5e6e22e7bb4423f0431255d448c7b298f9d3026f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a15e636bc3795a37f08653d08bfe4ac0
SHA1 db7033aec6499d7a2dcbab0246feada448c95daa
SHA256 ab7ce8d61fcb7e5494635cd612a5ea792be5c5874c8c9bc3a2c75228f7c9d164
SHA512 0c3c04bf79a4fd50db5177e74775c83791122aa8d8fc2cc19764240f4e6dba5fe92abfb7e75c156e74b18006c3e3a330c7d44179723dd38803fd1b2e437d840d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1eca59707434bc78340de90046c2ce8
SHA1 7e32fd505fbe1943d38c70720efa034198d0b173
SHA256 76d2a1708bdaeb2256443fe9bb77da5bb9f0b1798deff892046eecf7541e618c
SHA512 b0f4555b406e272b23f2dc574c7599099795082f87b3bbc698fed97e94cfb6fb353a0984e094035fb2d34d7b9e06965d1b3b7c933d8b6e6986079e86c59be043

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee8fb45fbbbd6a631feb06f046d84b4d
SHA1 836392a7efeb0fbaebcbea2b631daf2f0a1bcf95
SHA256 d3321a55ffbb096015ba64ac519e1d108855a02c0a75ee7fddbb98c17b71aa5f
SHA512 0af897873a739263a97cbee90401cabcf3f8ddddd40814eef203bc733521196bdd7bcb8695ae76b0e900a66cd7cb6b897d0c6232fb974009fe027cb6e96e10e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d0dc9e0061abfe19c0f54b6b5c59893
SHA1 f666b18f908e71357b2c76a52b80661f51800993
SHA256 ee4b8cf4a5b3e45e6aa25934f8fb88c3656fea322a0f81adc19ef4daf24ed79e
SHA512 59a69b2df230443e2468600a804e908a2513e43f02c25a8e836e95acba5db6d8c659f35907536aebfc3effd3ec1f5da43cf06d9b64dc769bbdf821a29d8ab51a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14a2f7816ae138de4081561dbb845fd1
SHA1 5d97e2aee32cc38f1e77d875108f03ad03d014b6
SHA256 663704f92d8b2fbee0410d34acc33ad2d487f1f1738e7e9d310b1ca9eba07174
SHA512 187c5bc80a91d549d5816e58672a85e1fdc5212e5ff3d6144433198cc90c36c703f811dc5c39c55540ad4345dcf752c7d2fb6cfaaf6a7224f506205be31e2895

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:52

Reported

2024-06-22 10:54

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krypghadvd = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000005a6cf0724e61369148acc28b7ac88ff8e5f932299486c14a662180f92d370215000000000e80000000020000200000006849821363471c9ea5936eeaf853e828277aefa0fdbdad4cf5dd55c01c714b2c20000000ddf44797d6df1bf104ddab1cf7b315db3bf59792707f3f013507df0aa0972d084000000071fa4c1a656060fe13b8849a1154b8ba34c168eca9973fbb082b6f1b85cdb7f6e032ec0ddb36a599d2e4a8fc996110b2d475c5c00074ed5fdb81478fbcd305cf C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2008756192c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E037B05-3085-11EF-9519-C2748A3A93CE} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 304d706192c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000d783f40a56c77cdea1accb9985290c55216562b8001fcf7abfd161aefa75c943000000000e80000000020000200000009527f709b84c81bb8d2c590d3884f473f61532644c5572846ece6b7fb06c27962000000010a8cc00fd0d366b51ef82e44fbdec54beebe48a856478dfb701753b21f5a81b4000000090a7c71509a020377a7438d3e46041f303761c4a05b1862d96c23df60ee2a58528382dcb75e9d33a9bc1b21550c313a5fd5f660758523c72dcf30a6f9ccef218 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425215416" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D}\ = "solads browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{855C94BA-7DA7-17A7-0524-F9E597D6CA6D}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\01c2d60cb204dd28d5095041c1402f08_JaffaCakes118.dll

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4884 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1.solads.biz udp
US 8.8.8.8:53 a1.solads.biz udp

Files

N/A