Malware Analysis Report

2025-01-18 22:00

Sample ID 240622-nqndqszgnn
Target 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118
SHA256 4af04ba1d2405491ea667993e3b04f9a3032960da916438769ae0e4df343fbb8
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4af04ba1d2405491ea667993e3b04f9a3032960da916438769ae0e4df343fbb8

Threat Level: Shows suspicious behavior

The file 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Checks computer location settings

Deletes itself

Installs/modifies Browser Helper Object

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 11:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 11:36

Reported

2024-06-22 11:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7837CA49-D4F5-4335-BA75-0E008BF95012} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7837CA49-D4F5-4335-BA75-0E008BF95012}\ = "Google Audio Helper" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sys.dat C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\apphelph3.dll C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\apphelph3.dll C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\InProcServer32\ = "%SystemRoot%\\SysWow64\\apphelph3.dll" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\ = "Google Audio Helper" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C apphelp.bat

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\apphelp.bat

MD5 333b1a375896eba2946c7fbb1ed936d0
SHA1 92ea27e3ccbdbf100cb3f71c20938fa3a1acce4b
SHA256 666c60d137bf471d3f574ca25054ef08ac0401d0661bc893f587a9375a9c6123
SHA512 b7774a777774356d23bce0399f39e43c5b59bb53d26ae4c922286e31ca18ff8e0a22062b83ae668cd8d92df1447f14d8bb7cb43c3a3793693eb9c913f3a3861c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 11:36

Reported

2024-06-22 11:38

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9105EA91-5EED-434C-B490-AEBCF54E286B} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9105EA91-5EED-434C-B490-AEBCF54E286B}\ = "Google Audio Helper" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sys.dat C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\apphelph3.dll C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\apphelph3.dll C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B} C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\ = "Google Audio Helper" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\InProcServer32\ = "%SystemRoot%\\SysWow64\\apphelph3.dll" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C apphelp.bat

Network

Files

C:\Users\Admin\AppData\Local\Temp\apphelp.bat

MD5 333b1a375896eba2946c7fbb1ed936d0
SHA1 92ea27e3ccbdbf100cb3f71c20938fa3a1acce4b
SHA256 666c60d137bf471d3f574ca25054ef08ac0401d0661bc893f587a9375a9c6123
SHA512 b7774a777774356d23bce0399f39e43c5b59bb53d26ae4c922286e31ca18ff8e0a22062b83ae668cd8d92df1447f14d8bb7cb43c3a3793693eb9c913f3a3861c