04f921de82a0b86f1434e4ae82ab84ea21db46312e5e3ba66adbae6b8912530e

Analysis

max time kernel
133s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Size

148KB
MD5

2119b98fb8dd4d3a359604822aa99e39
SHA1

649454a82aa3b4bbbfa79b1a2f93b53090cab9eb
SHA256

04f921de82a0b86f1434e4ae82ab84ea21db46312e5e3ba66adbae6b8912530e
SHA512

448912c507f21a052cf85e35dde6b2988f6b1b5bdef53a0142c86f10faabb838fe77be8dd8cb1879f40d668c8e4249c9dd3519034dcb9182ce363c2578130a98
SSDEEP

3072:glQQHgs213nKAVzALkw/aC276UMYNk9NV3r8:aAv13K6zeDiVtNuN5

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
5076	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
5076	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
5076	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9EAC0102-5E61-2312-BC2D-4D54434D5443}	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\ = "Tubby"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__t.dll	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MTC.dll	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{9EAC0102-5E61-2312-BC2D-4D54434D5443} = 00	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\InprocServer32	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\TypeLib\ = "{9EAC0102-5E61-2312-BC2B-4D54434D5443}"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\ = "TB 1.0 Type Library"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj.1\CLSID	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj.1\CLSID\ = "{9EAC0102-5E61-2312-BC2D-4D54434D5443}"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\HELPDIR	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\Version	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj\CurVer	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\VersionIndependentProgID	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\InprocServer32\ThreadingModel = "Apartment"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj.1	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj.1\ = "Search Toolbar"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\Version\ = "1.0"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\FLAGS	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\0	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MTC.dll"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\ = "Search Toolbar"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\ProgID\ = "Tubby.ToolBandObj.1"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\Programmable\	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\0\win32	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\FLAGS\ = "0"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0\HELPDIR\ = "C:\\Windows\\system32"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\ProgID	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\VersionIndependentProgID\ = "Tubby.ToolBandObj"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\InprocServer32\ = "C:\\Windows\\SysWow64\\MTC.dll"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj\CLSID\ = "{9EAC0102-5E61-2312-BC2D-4D54434D5443}"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\Programmable	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EAC0102-5E61-2312-BC2B-4D54434D5443}\1.0	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj\ = "Search Toolbar"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj\CLSID	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tubby.ToolBandObj\CurVer\ = "Tubby.ToolBandObj.1"	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}\TypeLib	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4784	5076	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe	90
PID 5076 wrote to memory of 4784	5076	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe	90
PID 5076 wrote to memory of 4784	5076	2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2119b98fb8dd4d3a359604822aa99e39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\w.bat
  2⤵
  PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MTC.dll

Filesize
84KB

MD5
1b5dde0ac2981717b81090698eb99427

SHA1
c9a95acc81784abfc39f6b48b35b9f90c01fd738

SHA256
9864b528e648d910af7578a87320fa5c74d2e7f383d94dfab23e80b70d56137c

SHA512
6feb020bf6ddbc8353005e33c3727f945a4f2c9572729fc1051582dc5099c6b2e8eebfe11303c62bc3fc872eddb84b05b9f17da4c5a4f0396109b3f598fae8e8

Download Submit
C:\Windows\SysWOW64\__t.dll

Filesize
84KB

MD5
b2493b0cc03d8e33ad22305d9bd149b5

SHA1
803be6849e4f08a27d25f32b61c8b2e1c911a9f8

SHA256
b8275fadeb1db9ad397c9143e54eab0849c368d50c9dad491085d4ee1b34b99e

SHA512
8a658ada1a0ec1d6e6e9bf04a66a692134b389c3f2fcb91c59b741c8fc6dcd666c65c62654f072af3da7865cc2165613ba648aacbca5d0ea7ee80fb6524e2e25

Download Submit
\??\c:\w.bat

Filesize
219B

MD5
41f949125b1bf9dd9933f56d99b6513b

SHA1
302290555d7e7e38a00f03cb8bb732c7cc76b60c

SHA256
a716ab204ef71c755679188077dae075ee5f0da6baafe82368fea17fbd04a3e5

SHA512
a746be72d433172b47085c15caa4934cfa843d49f5d711052652aa17dc42e3bfaee69871559c3dd0eca47ea87774849987f8721aa8ec4f2d20216392c3d9c661

Download Submit
memory/5076-9-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads