f2bb4841e6b19d120f11b076774ad4700e7010c1f4d4bb8fb1ee8b834183c90b

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
Size

1.5MB
MD5

270e6c70f479ff5b2aef6e5422908ff1
SHA1

23355063c4415fa24f115c57c9fb81ac6c0e4183
SHA256

f2bb4841e6b19d120f11b076774ad4700e7010c1f4d4bb8fb1ee8b834183c90b
SHA512

789a5760559fbc2757d8382fb31392b640673be211cee93c4bcb9a95a465b05b222f3fe14abb72947a4984193019065843825ad5a807597fc5f86281844d2acf
SSDEEP

24576:mfOyotfeirQIpaFaH1v1ydiGhuGxxjk3pppn8LbYt4/9WeQN7of0bDgq2yjUs2U2:mGnpbaFc+iGTk3pp+bF8HbUfyj

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2176	xa259430442.exe
2824	is-0TAN7.tmp

Loads dropped DLL 7 IoCs

pid	Process
1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
2176	xa259430442.exe
2176	xa259430442.exe
2176	xa259430442.exe
2824	is-0TAN7.tmp
2824	is-0TAN7.tmp
2604	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBCEB389-8180-35F3-9784-957269E762D7}\IExplore = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBCEB389-8180-35F3-9784-957269E762D7}	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wr75449.dll	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xwr75449.dll	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa259430442.exe	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa259430645.exe	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xa259430645.exe	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr75449.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\ = "{BD461D2C-BD0B-37FD-BE78-531498B626BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\VersionIndependentProgID\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\ProgID\ = "D.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr75449.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{CBCEB389-8180-35F3-9784-957269E762D7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\ = "LIB"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{CBCEB389-8180-35F3-9784-957269E762D7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\ = "{BD461D2C-BD0B-37FD-BE78-531498B626BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	is-0TAN7.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 1356 wrote to memory of 2176	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 2176 wrote to memory of 2824	2176	xa259430442.exe	31
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2604	1356	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\xa259430442.exe
  "C:\Windows\system32\xa259430442.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\is-UE5J8.tmp\is-0TAN7.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UE5J8.tmp\is-0TAN7.tmp" /SL4 $70154 "C:\Windows\SysWOW64\xa259430442.exe" 1069946 52224
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2824
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr75449.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xa259430442.exe

Filesize
1.3MB

MD5
70c051652e1265def58d0a9fcc0bb94a

SHA1
a089cbad18f488375751cf217fae2f24308fce1c

SHA256
b5638fcae13514968921f31c38dbd01f973a3cd78d6446e081c0b9719aae29a2

SHA512
1d8f22b69179cb4607ab443d4fc6cdc2790ccf54a5e8f510701fea669561ee46c02870bc96c1fbedfab90ec97f9f943987f18c3c10cf1aef71e95e1e25e111e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-JGI8K.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UE5J8.tmp\is-0TAN7.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
\Windows\SysWOW64\xwr75449.dll

Filesize
172KB

MD5
56f11cdd3d408e9b78dbdce69e894245

SHA1
d8792b223f5d2bd43a1cb463781d76500fa36bd7

SHA256
f73cd5b3a51aea9e7102c80e7a9b68daacce4b9c480a959434154d0e42517610

SHA512
14892912341fa3fa9f4b7df92dad32334cf01349d579b58e00a91a2077d31fac916ab893314826a3fb3c21750106e9aa454734ed55f7281cf8ac491b695a27b1

Download Submit
memory/2176-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2176-17-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2176-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2824-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download