Malware Analysis Report

2025-01-18 22:00

Sample ID 240622-nn6saszfrq
Target 01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118
SHA256 659dc79f8a18c659e6388d43f961532d496de9a26b5ee4d350e40f8454720db3
Tags
adware persistence stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

659dc79f8a18c659e6388d43f961532d496de9a26b5ee4d350e40f8454720db3

Threat Level: Shows suspicious behavior

The file 01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 11:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 11:33

Reported

2024-06-22 11:36

Platform

win7-20240508-en

Max time kernel

133s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uunljwsbedcre = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA3B5597-400B-222F-0467-B9161530FC97} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BA3B5597-400B-222F-0467-B9161530FC97}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425217885" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44C97ED1-308B-11EF-B2FB-7678A7DAE141} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2039b31998c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000008d5d4fd09dcc7b1ca3a066a39501c823f4284c18642ec9f00866aea84e1f7385000000000e8000000002000020000000b8a072179a33b59d347fb268eead074def34b45b23280dd7241feff60b6363b82000000036c45a9df1027bb4c5d05c191b40df57295bedec53e605af1fe4f1116e41fca640000000e859f3a3ce0cfd7eba6bd84262c4c2a9146da85ae05897a34c3edf821edbddc581da1d4dd53876054d4ba7dc97f1d4c852316b9ccc3f98c8f8f3b382007a70d4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000c2d2217325a0a3250677f74877e1e5cd626c2e3482c99131893db577a92a1e27000000000e8000000002000020000000c7070bfe7ceb826e4eb3bb41c8cfa78f0a333770cc735eb2e4f105dcc417b62f900000000315447d5af6a45722ef1d7ce3243dfc94d26a935db8d88e2b73ed320fe5537f8fc6435f53ac0be312b23ef818ef784d5887279403380c44bc25d9649374611c8188bc17eca29bcd3780ccd21cc521a3cee228d510a30954d1822e942e16b1751e3ecaf2b3b5a16e3fd709a413a123ff05d9aa44dd5388167dd80b7aef0f102ca6e4eb9b3f74e8deb037433bb97e626d40000000542c654530125fce9ebfd0efade2fead2c30d7cbabdc2ed57d08ff20a7a014f0734c2124c11734e241937e61925005f1b7655d65ce614f83f499e75f302c9819 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA3B5597-400B-222F-0467-B9161530FC97} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA3B5597-400B-222F-0467-B9161530FC97}\ = "blueskyadagency browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA3B5597-400B-222F-0467-B9161530FC97}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA3B5597-400B-222F-0467-B9161530FC97}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA3B5597-400B-222F-0467-B9161530FC97}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 blueskyadagency.com udp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2400-0-0x0000000000150000-0x0000000000152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3D11.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Cab3D73.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3D87.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1442350195397f8cd8f86d9607bcc502
SHA1 225fb6edd79770ed553eb7357ef3ffa33537cdbf
SHA256 6692e6dc4bd135511dac78aed11bda4b37459996f112616c555ded69f8a9d652
SHA512 2b9d01043e13d4a631e1f41e1afd3fcc4657a4fe720cf18b44579105832bf4dcb77b9ae3481056b29f24cb49d92a542cd940cbbb4c144921ff9bf391fd525496

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fe07ab0e54a57ee71c7eac97341a0d8
SHA1 facfe688689d7b527d16ae36d0690fb2c15ed171
SHA256 9adfe14239a87f2f2a827f185e2ed8f43486f47b0c2b9cf583959baa375d4d04
SHA512 c1e78df64057ae3a9cab124c352dcd61491b39fad4436a2db2477cae2f017cf45598085b1a773d72d0f0ba3f0a109749176424c07838f091e179d3b857d41b83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16e47fe4d668c77f07cd489f970f596e
SHA1 392bdea96b99a37e9c69624843e666ed16b337fa
SHA256 59fc55f22f05a45739c24c545334b981f1f95f58323fff382c70ee783c7e59d7
SHA512 e217689ecb86f1c8f640f37cc016088f0af54180d9f18256ebf650d8ec280ff9cbb35a63d28e5057413cf96b58807e4e0de22ee9e567917e24790838bfdef2a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d7db494e13a0933941cf13909c2e970
SHA1 3fa6c58bf80bfa4294fe1448592dcae9bdd41f1e
SHA256 9dfdecfa0c2397f846d1d3dafc9926d5cef1a9382f3d6de9594aa525d11b2c3d
SHA512 29e69fa8f635fc0fae412456856f1c899e2e7a4af3589941bfca228e496e093c2574b50792781bbba3dec601c4dc1d7788afb9b0ddfcb05ad060ece4d94a808e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3686e4ac8690bc09190824abf33cd86
SHA1 01fcdae921a881032ec9b3837f12d80844b0da18
SHA256 538526164e8797f51b3d60c81bfc7a89861ea86f1dcbfa3d62e3e1c8c143beb6
SHA512 14f969b6ee5077f682ab3f6f01cc459374969ca4199d601d5168719251dc5488a1e12ade4b96a025205f2f1fe2314f73018748fb0a2f91b57af6dd32c85377c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93422a3f4190ae7dc8f401d89ca3117c
SHA1 bc7e8eba1ea5b099fe50c995f2c0914de9293913
SHA256 e4dea4eade72e8687fea35191de75d854dec4a6ae65fe740fd6e02a96945801d
SHA512 95f606fd5f5c53ee58517549daf7ff3fa88cdacfeca9f41afdc6157c4f36ca06697eeffa42fbb46e00ea107661bd66c388e547a1cc3835c25f41a99e24db2b74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b0826a7582932f41a73bd58eb70b011
SHA1 dc638c692e156f1a101053ffc355712d53547e4f
SHA256 0c0bc4d4104908f71dc842290bf74ac9d7755bd7c4d0eb83b87b024d22443a0a
SHA512 62a4a062e64ff808bd7ba6594815859b1b39265c35e6200d7056ab8d4c27cb68feca03e8a9a0999ce92448e84e6c2ca9356b00318d591fe9e76069ee76d56a05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1dc6e5a3ed5fcd7d83bb740602382c8
SHA1 b86000bb5411022f9e28cb73cb87fb0999924d87
SHA256 4457b4b06280a10e5ace0d4fce4825a1e77755ed8692591d8566357bc9aeba8e
SHA512 6e4447cb1ff2592984b7be509a3deb5c9b74a3deffaa6faf91ff1392561134f86182b9d7f6bbe29fa4d48d6523d56b369bd2f0b703dad2b37be2d3ee9fe5accb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cdd11beefa23312f236474f329d0da5
SHA1 5586c80db5140148e1533ca8d4af38a314a3a3ef
SHA256 dd0fa6df38bee5359d146c36495e64871d4c900a4af763b23b735196da545252
SHA512 34c52d711ebb8a25c9fff2b557c3c97353a9ece6ed381f1cf628bbee32957806f8828d2399c0b38ecff76a947d5a565c8583ac9d866c6190ba31f7aa413d8be4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7148b1f106dec3be897a7a112096ed99
SHA1 4f1837c39ef80fb5251cecee41c1666b4e199c8d
SHA256 74f004c2291e545f229d7f062d071d02aec5ae7714dbd0eeb275aa08271e90dd
SHA512 e6f0f0f408141b65e585ab079ca86984e99f38f32b66cc5a8c2f9d360c2f1da16ef822eda454288f27c0eb66b296c14bb7b50e0ce3dcab66a162a366d026eb2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b9a14325569e6cd6ef533d89a97f33c
SHA1 b0dcb00b6bb3dcf59264c4cf14c00d665ef01830
SHA256 3fb580e3d99311fcde01a5cb73645d036fe6cdf9c8e69f2bab802c3b69c80c17
SHA512 671baec66c332ce490619d97a843f858dc7d662cd7c8b2aa62a7b20bdc05ade675d1528064a9cf298b2976fa259f1dbbaa3c1400f8646b290b2d4e937c0c1b67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20a4b20d31d00633d3840fd08fb9b85d
SHA1 64c6c8d2150d08c2a94df6f237f43a41e468303f
SHA256 4679ca4a52a6ffa331fc18654b6c29573d001c9021d946d774eadb6d245a467e
SHA512 a369712ac01d315483cde043410d942c179ecedbb4c93f538a5d2e8f9342969aa4fca9fde6b9fa570a6c4e7757cd82c11b8b5f845d8b7319b730256522c885a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75e42ee7fcf2680e14eb71b8e538c1c5
SHA1 69fe3bffbce87e93b1ca6acff98374bbea8ea639
SHA256 6e4561972127ea85793b040848113fe6041ecf44c8d38df4df3c54057872abac
SHA512 408e60cf46be9ccaf3de1fb897890636d64d2df3f1ad43e8181c0780b1ec998444ad22984790e10643c89e869f5487f87dc4ca3d6f85a465849f1549bc8fd531

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47ec7a64e95934dbd56fa75428b9b05b
SHA1 0c7f0315f011b29087c68ff1efc14c718ee50e7f
SHA256 0f7813b440d78e43413cae58dd9e626556ab2769914374eb723153cda0d016d0
SHA512 8512f28c35c4a2fd35f6fc974f506116d02f9dc55821f3402f4f67fa279c0a885108b2e42b5208282d2a2d4a2d01089ea0a9c870a3faa6962418fe61484ca1d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6850840328693c5fad9412fa0c5630e
SHA1 a65eae31f8ad1e7c8cefb1e4bb6b23992cd607cb
SHA256 c09a8e2de7d4cbcfd0e1cc4eec9e6092874f040556f75295d2ba4b6214404740
SHA512 9ccd90cf147d389d080b874e353c353978abe0442aa7c5c3c835c1bbc8a4aac9903f071a57aa72c53f1411b63d0be9c61e9c6a981cbd28525fb5cea23a0362bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63d91c0b0f5d240e62fd878c8ed5ed44
SHA1 cfd31f6cbac12939eaed60f29e759496a185c79f
SHA256 8cf5f819d80dd8fe12f446174d12a25455a10eb7d013b5febdfc4057c0e37d81
SHA512 00fc4fe44add57566bf43fd33acb1c4eb8305d3a966ab40bd5699103f2278cb732d0d67c2860d05e1d50d43d0fbc87199b9213987d065a85c5089b7ba8721578

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc74ba4728075d9e4ba1c021bbe291de
SHA1 8cc31dba1b152bde91659385083b848536507dd0
SHA256 0db7be22403f490311b9c55002c37c244cfca1ec39fb4d0e7d4e6b4d25aad93b
SHA512 42e09b41a79f6d435a505537da35410fc40d99a5bd30745cd681de6f948e36623f55c7dc3f0b167748846a8f970d3af7f0b4555a162876796961cad065939d1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e140768f7e94c1707329c746f9d9c016
SHA1 d2d5b6e3501b981f68afa65f8e6a6ee55434cfcf
SHA256 ea857406012f03f724237078215f616ca5ac64cc1a16490ca822d1764d0c5aae
SHA512 fceba2aa7ec8355ffaa8f6b82a6d24b451b5acf644d8bc8079edba5e902cb7f99c32d46866e6a66c821b22c53771c836035f428ea07c829467abba77111d5267

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2be782b858318602b020b5794f8bd6d3
SHA1 a2abae98d15d08e75c583538eac577d70601b15d
SHA256 489441f74e24593f0834494b1a507a0ef1d151068ca6fee35ce36dfb8a26a03b
SHA512 9cc5f11e2f85ba3cc8b9015aed57b1103259ab905b5766892d5c7321a8c33d7596a4957be8695a746d7fa03e8e1c8dc357ca792f897ac20f4736d727e4b6ea56

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 11:33

Reported

2024-06-22 11:36

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ysqvmnorbmsqnvyhk = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{348D6598-B307-309E-5E66-492EBEEA1751} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{348D6598-B307-309E-5E66-492EBEEA1751}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "431916052" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a026f91a98c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{45575B6D-308B-11EF-90FA-CACDD8B22A4F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114392" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc37000000000200000000001066000000010000200000005a6097e506fc7efca3a1a69a5a67989344abf1091da8bd657fc69e9c0a5d233d000000000e8000000002000020000000ebe4f451d750775b33107ed4713c762fbe4091d533f2c378e78395235716f7b620000000c6ae69b5f786f75fec10c9c47e2c1f88f4942ff2b621bce3fa94cc92e708024a4000000041da1c0b66d916ae0f64275ddf23cb39ef852b807e6213a1cd3e65d327e5be9eee4f6a2fa10112a0bc4b9e6295600452592484f89e4549f984d6a16692609ecd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114392" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa9cad4c9673b74c9a378d3b281cdc370000000002000000000010660000000100002000000083f33465da05318d47375101ce6631d1af66a3e1876e1f1957edcd1e6d22e633000000000e8000000002000020000000cd5d51e924d5376b879845f2c5a8140a205fe6f91efc98ddf0f8b2cc62793fc12000000017eb348c71d6a8f67898c87618d33585a99982ef9f9f14da3cbde31692a291814000000067bdd5b6cae82e5404c573411a1ab4106e5839bc5cc2bf2e36f9bddb3f044626b417c90ec2923a3b714f81f08ff7974299ba5590b2e7ac00ee8fb4eed005a7e1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9052001b98c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "431916052" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "434259791" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114392" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425820994" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{348D6598-B307-309E-5E66-492EBEEA1751} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{348D6598-B307-309E-5E66-492EBEEA1751}\ = "blueskyadagency browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{348D6598-B307-309E-5E66-492EBEEA1751}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{348D6598-B307-309E-5E66-492EBEEA1751}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{348D6598-B307-309E-5E66-492EBEEA1751}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\01efee1f8ba0f9c17dfb746326ab908c_JaffaCakes118.dll

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4300 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 blueskyadagency.com udp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 15.197.148.33:80 blueskyadagency.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FUP7PRY6\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee