47ffb920fceccd76781e0b05fdf7782bd79077966935cefa93ecaba606217fea

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Size

361KB
MD5

2556f32e581ce57bc019fe8c9dd22af9
SHA1

a014297528533c3766fbf6dc66c19545f03ad874
SHA256

47ffb920fceccd76781e0b05fdf7782bd79077966935cefa93ecaba606217fea
SHA512

7f166a4a83d9b4148d2c4983d10b3099b2dcd33eca54cad6821da44d2dc3a19bbbc4f792f9bec6f8a526fa88f204d4d4ebe22fbf3e40d4b8751295846099c928
SSDEEP

6144:WX0pFWpLmRK8GV3aIllFdgfW9fO1Mg8LamHH5hMs/XzCgPqTWLLtbjZaqi:PWpLhV3HjFCfqfELF6HssPzCgPqTWLLC

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 15 IoCs

pid	Process
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
2944	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}\NoExplorer = "\"\""	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nsi21E5.tmp	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nsi21E5.dll	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cont_coolblueads-remove.exe	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}\InProcServer32\ = "C:\\Windows\\SysWow64\\nsi21E5.dll"	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}\InProcServer32\ThreadingModel = "Apartment"	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}\ = "coolblueads"	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a2ea4c55-fff9-3910-fda1-95238efb7b3e}\InProcServer32	2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2556f32e581ce57bc019fe8c9dd22af9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst20EB.tmp\NSISdl.dll

Filesize
14KB

MD5
997ae296af5b7ca9aaa52f6844075439

SHA1
9814f0b09219ac2eed875d842b9362c3b32bec6f

SHA256
1d74275fb0ddcb7c01a92c4ea5c7ef137cdfa0b48ae2b293f0ea178b355cbaa8

SHA512
a81ee17129278a185e91f6615da2d9e47940580fcaac3806ace17a0c0e48995f8e85de6deedcec502782141acd381fb7dd1c72a93fcd40112afadc3741572349

Download Submit
\Users\Admin\AppData\Local\Temp\nst20EB.tmp\System.dll

Filesize
10KB

MD5
32465a07028b927b22c38e642c2cb836

SHA1
309cac412b2ecf6a36f6e989c828afcdd8c7a6e4

SHA256
eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292

SHA512
9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

Download Submit
\Windows\SysWOW64\nsi21E5.dll

Filesize
367KB

MD5
c89d0d7a8ef333885c0e1b7111b98207

SHA1
7e3359747c4e24d8837d54d07ca8cd262ac47b63

SHA256
1b2d1feaffdda22dbee1d1707bc8ec316f5bd4e60dbfca6ae5371fa853c069c3

SHA512
6f7452cab9ca215983c6c16dd865697b883cc4414f67c76ee9a077f8c30270604573b7bdfefc71547fedb745ac9cfedc7afeb6fc439d6cc5da1d32be3f29929a

Download Submit
memory/2944-47-0x0000000002810000-0x0000000002871000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads