140f6d18134e2769c63f1ac6834f79dda4daf5c2e8463faa567ad935eb94bef7

Analysis

max time kernel
142s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Size

910KB
MD5

19f96777f45ec0af8bf1733b44942829
SHA1

19c5742302b1c068c93c4db01116cb9c850de888
SHA256

140f6d18134e2769c63f1ac6834f79dda4daf5c2e8463faa567ad935eb94bef7
SHA512

3a6e9a7d7b37a24901f10e088d714903db5a2fee8ee5283e5486193ad62e96b4d17ef1c66052a2ed3553c0c2e46351443a9c07c0bbdd94f2f1947af610787847
SSDEEP

24576:Orq4MCKWh1Le/1igYs+d/noNAbR86S7Vfeu:Hwhoi8o/noNpTVf3

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 15 IoCs

pid	Process
2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe
2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d970ed5-3eda-438d-bffd-715931e2775b}\NoExplorer = "1"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\clientguid = "f4c005511e8c4776b0c7b78646366c32"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d970ed5-3eda-438d-bffd-715931e2775b}	RegAsm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D970ED5-3EDA-438d-BFFD-715931E2775B}	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\83CED28E-B96A-43FC-A276-2AD7A48EB6BE	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\83CED28E-B96A-43FC-A276-2AD7A48EB6BE\NoExplorer = "1"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d970ed5-3eda-438d-bffd-715931e2775b}\NoExplorer = "1"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\ = "InternetExplorer"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\NoExplorer = "1"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HCIRes.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HCIRes.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SearchToolbar\Plugin\BandObjectLib.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File created	C:\Program Files (x86)\SearchToolbar\Plugin\SearchBar.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SearchToolbar\Plugin\SearchBar.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File created	C:\Program Files (x86)\SearchToolbar\Plugin\st.zip	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File created	C:\Program Files (x86)\SearchToolbar\Plugin\IE BHO.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File created	C:\Program Files (x86)\SearchToolbar\Plugin\Uninstall.exe	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SearchToolbar\Plugin\BandObjectLib.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File created	C:\Program Files (x86)\SearchToolbar\Plugin\Interop.SHDocVw.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SearchToolbar\Plugin\Interop.SHDocVw.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SearchToolbar\Plugin\st.zip	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SearchToolbar\Plugin\IE BHO.dll	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{c9a6357b-25cc-4bcf-96c1-78736985d412} = "SearchBar"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://81.29.214.174/Search.aspx"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Secondary_Page_URL = "http://81.29.214.174/Search.aspx"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://81.29.214.174/Search.aspx"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://81.29.214.174/Search.aspx"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{18291348-B055-400E-8BCD-3B927FA9ED87}	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{18291348-B055-400E-8BCD-3B927FA9ED87}\URL = "http://81.29.214.174/Search.aspx?ct=it&key={searchTerms}&ref=PGTB&cg=f4c005511e8c4776b0c7b78646366c32"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://81.29.214.174/Search.aspx"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\TypeLib\ = "{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\ = "IInternetExplorerBHO"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\TypeLib\Version = "1.0"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.InitToolbarBHO\CLSID\ = "{1D970ED5-3EDA-438D-BFFD-715931E2775B}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\InprocServer32\1.0.4044.22162\Class = "SearchBar.Toolbar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\ProgId\ = "SearchBar.InstallerClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SearchToolbar\\Plugin"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\ProxyStubClsid32	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\InprocServer32\1.0.4044.22162	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.InstallerClass\CLSID	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\Assembly = "SearchBar, Version=1.0.4044.22162, Culture=neutral, PublicKeyToken=a0ebf05e75e2c6d2"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetExplorer.InternetExplorer\CLSID	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}\1.0\0\win32	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\TypeLib\ = "{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\TypeLib	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\Implemented Categories	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\ProxyStubClsid32	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\InprocServer32\1.0.4044.22162\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\1.0.4044.22162\CodeBase = "file:///C:/Program Files (x86)/SearchToolbar/Plugin/SearchBar.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5B030D9-7883-4741-B81E-5BBDA38E5A0A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\InprocServer32\1.0.4044.22162	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\ = "SearchBar"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetExplorer.InternetExplorer.1	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\Programmable	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}\1.0\FLAGS\ = "0"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\InprocServer32\1.0.4044.22162\CodeBase = "file:///C:/Program Files (x86)/SearchToolbar/Plugin/SearchBar.DLL"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\ = "SearchBar.InitToolbarBHO"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.Toolbar\CLSID	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\HelpText = "SearchBar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\1.0.4044.22162\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\ProgID\ = "IE BHO.InternetExplorer.1"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\ProgId\ = "SearchBar.InitToolbarBHO"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\ = "InternetExplorer Class"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\ProgID	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}\1.0\HELPDIR	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.Toolbar\ = "SearchBar.Toolbar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\ = "SearchBar.Toolbar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\Class = "SearchBar.InstallerClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83CED28E-B96A-43FC-A276-2AD7A48EB6BE}\InprocServer32\ = "C:\\Program Files (x86)\\SearchToolbar\\Plugin\\IE BHO.dll"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.InitToolbarBHO	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\1.0.4044.22162\Assembly = "SearchBar, Version=1.0.4044.22162, Culture=neutral, PublicKeyToken=a0ebf05e75e2c6d2"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}\1.0\ = "InternetExplorer 1.0 Type Library"	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/SearchToolbar/Plugin/SearchBar.DLL"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\ProgId	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\ProgId	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}\InprocServer32\1.0.4044.22162\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.InstallerClass	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\1.0.4044.22162	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA247AF1-104E-3A0C-AA09-EA5762A40821}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA4460A4-8B0A-41B1-864C-EBDA7EED4267}\1.0\0	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.InitToolbarBHO\CLSID	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D970ED5-3EDA-438D-BFFD-715931E2775B}\InprocServer32\1.0.4044.22162\CodeBase = "file:///C:/Program Files (x86)/SearchToolbar/Plugin/SearchBar.DLL"	RegAsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2168	2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe	80
PID 2816 wrote to memory of 2168	2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe	80
PID 2816 wrote to memory of 2168	2816	19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19f96777f45ec0af8bf1733b44942829_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe "C:\Program Files (x86)\SearchToolbar\Plugin\SearchBar.dll" /codebase /silent
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SearchToolbar\Plugin\BandObjectLib.dll

Filesize
24KB

MD5
c9fa507ff8e858f226597d654372500e

SHA1
40ec624bc7592161fc39be2f9eddc2867ee301fc

SHA256
62615d14f9e3ab6243e9fca1ac4ba2014ef2870bc7c6b1ef0dcd9b681135301e

SHA512
2f865ef16698c5d4b3f440a36d393f296dd5d7f3897e30119ad62bbbffaff6df81e6ddb0eb73a1b7007cbdf0dcd781c9cf7abc6c3fce8aff51a742b8b806a2a7

Download Submit
C:\Program Files (x86)\SearchToolbar\Plugin\IE BHO.dll

Filesize
625KB

MD5
6f1f975788de072cd665f03164be1c63

SHA1
c78dda52e6999ff3abf6756b3149fd8da95e3f9e

SHA256
2040f0442c8aef7c4b93b5b4adc75af8fbfd937e9225e13cf875d65906503fc8

SHA512
edf166a6ca25963f45b2e3ca2139808ae83b9c8c3e421477092001aa39e3c48d319b4d4ac650412cc1d8c4ba722949d237bb23d03726d14d8fec5ffaace98be8

Download Submit
C:\Program Files (x86)\SearchToolbar\Plugin\SearchBar.dll

Filesize
32KB

MD5
f822135af14a0741dcd4afd6fa270681

SHA1
d97c5149630a455d3d429f866028eaa5b972a8cc

SHA256
88b56ab522c67e355a66eb12f37589ed939f8f014717d86f91abfed677756c9a

SHA512
34f17edebb1f55281bec04396deb770ff89ee3f9aba2af0089cccfc3c39d4b4c2e91730d95c421c06e52e23ee07ffb6b3fea352a04452212c159b5ab55cae3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4C1D.tmp\NSISdl.dll

Filesize
72KB

MD5
b13935bfa7a3e43c112bd9fa02f08f28

SHA1
dec4f136057097c412f53c2ae41b80a8ad0c6810

SHA256
796f7efb91904fa4105528e18f6f87e3fdab9a070dabef83e02f9ae375b2b060

SHA512
1b92cde7bf74fc181b4d2602a269ef1f581b75eb67e3e46b256ddaddc153b95ee17d422a56ca04d68eafe61ab468b708f7f3691f3b47c554a67af00d49b2709a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4C1D.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
memory/2168-29-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/2168-43-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/2168-28-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/2168-27-0x0000000073A72000-0x0000000073A73000-memory.dmp

Filesize
4KB

Download
memory/2816-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-219-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2816-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-227-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2816-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads