f2bb4841e6b19d120f11b076774ad4700e7010c1f4d4bb8fb1ee8b834183c90b

Analysis

max time kernel
141s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
Size

1.5MB
MD5

270e6c70f479ff5b2aef6e5422908ff1
SHA1

23355063c4415fa24f115c57c9fb81ac6c0e4183
SHA256

f2bb4841e6b19d120f11b076774ad4700e7010c1f4d4bb8fb1ee8b834183c90b
SHA512

789a5760559fbc2757d8382fb31392b640673be211cee93c4bcb9a95a465b05b222f3fe14abb72947a4984193019065843825ad5a807597fc5f86281844d2acf
SSDEEP

24576:mfOyotfeirQIpaFaH1v1ydiGhuGxxjk3pppn8LbYt4/9WeQN7of0bDgq2yjUs2U2:mGnpbaFc+iGTk3pp+bF8HbUfyj

Score

7^/10

adware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	xa240604921.exe
4716	is-UOE0M.tmp

Loads dropped DLL 1 IoCs

pid	Process
4000	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBCEB389-8180-35F3-9784-957269E762D7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBCEB389-8180-35F3-9784-957269E762D7}\IExplore = "1"	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xa240605125.exe	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xa240605125.exe	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wr75449.dll	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xwr75449.dll	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa240604921.exe	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{CBCEB389-8180-35F3-9784-957269E762D7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\VersionIndependentProgID\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\ = "LIB"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\ = "{BD461D2C-BD0B-37FD-BE78-531498B626BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\ = "{BD461D2C-BD0B-37FD-BE78-531498B626BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr75449.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{CBCEB389-8180-35F3-9784-957269E762D7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\ProgID\ = "D.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCEB389-8180-35F3-9784-957269E762D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr75449.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD461D2C-BD0B-37FD-BE78-531498B626BF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D05252-7A39-331C-95DA-6845EDFD73BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D"	regsvr32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2116	3580	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	81
PID 3580 wrote to memory of 2116	3580	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	81
PID 3580 wrote to memory of 2116	3580	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	81
PID 2116 wrote to memory of 4716	2116	xa240604921.exe	82
PID 2116 wrote to memory of 4716	2116	xa240604921.exe	82
PID 2116 wrote to memory of 4716	2116	xa240604921.exe	82
PID 3580 wrote to memory of 4000	3580	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	83
PID 3580 wrote to memory of 4000	3580	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	83
PID 3580 wrote to memory of 4000	3580	270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\270e6c70f479ff5b2aef6e5422908ff1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\xa240604921.exe
  "C:\Windows\system32\xa240604921.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\is-NS096.tmp\is-UOE0M.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NS096.tmp\is-UOE0M.tmp" /SL4 $70214 "C:\Windows\SysWOW64\xa240604921.exe" 1069946 52224
    3⤵
    - Executes dropped EXE
    PID:4716
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr75449.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-NS096.tmp\is-UOE0M.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
C:\Windows\SysWOW64\xa240604921.exe

Filesize
1.3MB

MD5
70c051652e1265def58d0a9fcc0bb94a

SHA1
a089cbad18f488375751cf217fae2f24308fce1c

SHA256
b5638fcae13514968921f31c38dbd01f973a3cd78d6446e081c0b9719aae29a2

SHA512
1d8f22b69179cb4607ab443d4fc6cdc2790ccf54a5e8f510701fea669561ee46c02870bc96c1fbedfab90ec97f9f943987f18c3c10cf1aef71e95e1e25e111e6

Download Submit
C:\Windows\SysWOW64\xwr75449.dll

Filesize
172KB

MD5
56f11cdd3d408e9b78dbdce69e894245

SHA1
d8792b223f5d2bd43a1cb463781d76500fa36bd7

SHA256
f73cd5b3a51aea9e7102c80e7a9b68daacce4b9c480a959434154d0e42517610

SHA512
14892912341fa3fa9f4b7df92dad32334cf01349d579b58e00a91a2077d31fac916ab893314826a3fb3c21750106e9aa454734ed55f7281cf8ac491b695a27b1

Download Submit
memory/2116-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2116-21-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2116-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4716-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4716-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download