400c5c264a18dc4cf49342f66cf8d473394ef0ca11c08ad9f064be7211986069

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe
Size

301KB
MD5

0827b32f15e2d850cfa269b017207aaf
SHA1

aa51719a47a48ee8c239ab03a78a41a00d212317
SHA256

400c5c264a18dc4cf49342f66cf8d473394ef0ca11c08ad9f064be7211986069
SHA512

0d8782fc9dec596594fe77db59725e0cd30cf568ee449ac1d4bd5ccd76ac16914576b357e6de6e13a1c0e11ade6724f77b3e94fb23d2fbce64e5f1e1a0c06553
SSDEEP

6144:k5QDj7VtqyNhni4LJoZUHektYJQGX8vCQZVFKY4fgATvEo/+LPOCljo9VcIWQiLH:k52H1JVouHeIYr8vbVFKVgGEo2LPOC64

Score

7^/10

adware persistence stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	3535.EXE

Executes dropped EXE 3 IoCs

pid	Process
2024	3535.EXE
4880	rinst.exe
540	web.exe

Loads dropped DLL 4 IoCs

pid	Process
540	web.exe
540	web.exe
540	web.exe
2024	3535.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1036-0-0x0000000010000000-0x000000001005F000-memory.dmp	upx
behavioral2/files/0x0007000000023382-5.dat	upx
behavioral2/memory/2024-11-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1036-14-0x0000000010000000-0x000000001005F000-memory.dmp	upx
behavioral2/memory/2024-61-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\web = "C:\\Windows\\SysWOW64\\web.exe"	web.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	web.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	web.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\web.exe	rinst.exe
File created	C:\Windows\SysWOW64\webhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\webwb.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\webwb.dll"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	web.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\webwb.dll"	web.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	web.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
540	web.exe
540	web.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
540	web.exe
540	web.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
540	web.exe
540	web.exe
540	web.exe
540	web.exe
540	web.exe
540	web.exe
540	web.exe
540	web.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2024	1036	0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe	84
PID 1036 wrote to memory of 2024	1036	0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe	84
PID 1036 wrote to memory of 2024	1036	0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe	84
PID 2024 wrote to memory of 4880	2024	3535.EXE	85
PID 2024 wrote to memory of 4880	2024	3535.EXE	85
PID 2024 wrote to memory of 4880	2024	3535.EXE	85
PID 4880 wrote to memory of 540	4880	rinst.exe	87
PID 4880 wrote to memory of 540	4880	rinst.exe	87
PID 4880 wrote to memory of 540	4880	rinst.exe	87

C:\Users\Admin\AppData\Local\Temp\0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0827b32f15e2d850cfa269b017207aaf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1036
- C:\3535.EXE
  "C:\3535.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SysWOW64\web.exe
      C:\Windows\system32\web.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3535.EXE

Filesize
240KB

MD5
be4137258c9e49395bdee5ff0e00c5c9

SHA1
47fd20f3aa36cdf00ca300da8328129db35858b8

SHA256
dcbe4b956b2d9edce45b5d341126f0ec966ac87a138929f7f8e6d405f310e6c5

SHA512
913fe72a35e31343ae14299aa5d872447700ae3b199a8d81a3532c004d9fd13e0e56918c5ded661cc8780af29329f4c0023cdc222d6be07d6a0b9ef0be442d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
362d46b7ca030bd208edcee784b9ae5d

SHA1
8215bc8665cfa57620148535c5a4b6122ab330a2

SHA256
d38eea56cb6c8df80bf5d9a3dd979ef0992127020f5b1e2026fa34b10804c2f2

SHA512
487c8b6320c40dca423c3fe66658c250a99392aec4977995750ce6c26e499eab0ae7e232cc5ee99281c029f037b774d09d8445cfa841ac81c1b7dbddcc1f0071

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
3KB

MD5
7b5ea9724ec5d150ab0e4d043930f5ec

SHA1
e05a12749c57093a6837b54ead4ca24fc5571660

SHA256
b463302378dda08436574d0c5c4b32e4cdcdf5d53d8f89e1a467783b973cf203

SHA512
417d0bc7f931a5e229b18febb20e21e4ccbc6cbdec7998cae9f5896e49062d11ffd2f71ab516184053eb676431cd2f10a8f4cae436e8ed4365ff03164fca44ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
c2945ee5c57f33f8bbb6a4f6d539180b

SHA1
64c958603de6a1db225752e9abb87222faf24c68

SHA256
b6c83639513169d01356a02db1631e8f28320c8ed0cd9f485d5433d13616f349

SHA512
8bdd657d45ed8720c92dad611f5c41c0e8e6602444232ce23b0258a8a8c1b194b1ad6498f25292c29ed7b8deb42b220245130a87f54b34d49dd250fb31f149d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\web.exe

Filesize
388KB

MD5
50d0909cea1d547acc11247bdfd0b639

SHA1
5e0fd96989296c7142022a5b51ffb00bfc78e4a4

SHA256
5b1e764a3061bf865cfc0a35e0956c725b9436d0013b6c2836e74facfa0dda2c

SHA512
176187b6cbf129ccb0e2124e1ae6cb392ddda3d4e2dc98233e85cc1216690ee6a6f265b942baac2d3e3bcf7d1acd83a1252dd25db02e126ae708a27084943756

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\webhk.dll

Filesize
8KB

MD5
aef5c7b973d40813f3f760e4b5d91046

SHA1
6d6db2387907656f50a61cf219194e7c8fd48e53

SHA256
de2ada7b1cddcd14d52b3e3c4159683ce24f86eabaac86181859dff91e5eb55f

SHA512
54fc2529948a3f4d21884a730ee47ad7edcaa9945ae2f074f0f4a2b9d5cd08b395a954cb51fc6850a6f01d07030d591b949f48d9b7ba59ff6a4f6cc499178419

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\webwb.dll

Filesize
40KB

MD5
eb1997ae9c885d0f1c25286d0c36fde9

SHA1
b6b098141c1d6ada96a2da85718f9dd892f0c07e

SHA256
aa88cdb17698e4253dea4f8df598b9a85f15235444fd4803cf1a905e74c6e731

SHA512
0aac91a14b7087386b520155b93cf018736c846d9ea6cf2269927bdd778e513ab71c5bfbf07841defe8200c8d08cfcb0a87720de53d9e618d39d9627ea8b937f

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
3KB

MD5
d690c4dc9b86542e65429998f80dc69f

SHA1
206640573e38680754924097f95bccdca552d296

SHA256
42f1208f5fe558a14f57594ed449f88b67436beac0b6e0b7c73dbe5cc5e5d751

SHA512
2e2f4c76d4b7f4456ca34ae6d531f724376251cec6652ee741cda832fe428ba07c2ce52dd4e6e590c7c430f57650119b3653105adbb1f56aacfbfb7155bfb321

Download Submit
C:\Windows\SysWOW64\web.exe

Filesize
388KB

MD5
65b87ab2238f38344f5b0604c32d7f32

SHA1
7b04e46572ac9c90c8e49d053c327edc015b1e18

SHA256
2c89b18e3285f064a709b9e0a31148c4701c8c96c83636266f3b351731021a22

SHA512
2d8012a495e85621f31bbdaad3ead45b5358b271fd311c7050bb840536b33b77e9f63cece3ccbf3dd229feb669ac66437eed59c05d6ac8f68fb5fd2e33df95ab

Download Submit
C:\Windows\SysWOW64\webhk.dll

Filesize
8KB

MD5
a9bce1d47adb3f7779809adc1c04726d

SHA1
265b2cd93ba894477c6a9d45b0c9ab65ea88d3b4

SHA256
8f70fee209f1ff4fde13b865618751e3c8cdfb454bb1b964f07c9af90e69be94

SHA512
ea6b0d8f2c0768c6e1e147c132c24a085c4174fb7ec565d23c774bffebae28c53a2ab60d3d279879a42f904cabb4e5268e767a44773eac648721335817fdacdb

Download Submit
C:\Windows\SysWOW64\webwb.dll

Filesize
40KB

MD5
f5cd91b683eed55da373d54fac54d52d

SHA1
83665074e3ee67dae8d0d8010a1bb07d3a6c7ef0

SHA256
815f893e764eb040fa19e35b66cbc04c469144575039817de0f8548f39f8327d

SHA512
57f74a66057472c1ebb28f666e1478797a8fb1a3b37596ba9d99930e6b6bfb98e2bb30329c31d691f75043d286db2b6d77145b6e9f42801f0719aab77712c0d9

Download Submit
memory/1036-14-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/1036-0-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/2024-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads