59405ef1dabdd1e2867c39afef04233e235ad930670ccb7e34878f92dfe0b29f

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe
Size

380KB
MD5

29f73ab6ffbf198271e38f48e18d33e1
SHA1

28e790e4822a2efd1ea6152e3755ac5612b54d19
SHA256

59405ef1dabdd1e2867c39afef04233e235ad930670ccb7e34878f92dfe0b29f
SHA512

863c9b082a509eb48eb72681872aafc3d47f47e56a49794ab321098371021dec2471b7b480f31474d5d7851c9dffd1aadc50774b2ca7c1922708eeb24e965bfd
SSDEEP

6144:+ltmzk6QDBB0UB9fx+GCy0YdcgzC4HXWSauwsIWaV1Fqd4L/PF4FqyCf:+ltmzXQY8p0GjmX4HXAund4LnyZ4

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2712	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D9661AF0-C190-497C-884A-D4CED14BB1E0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\ = "xuulibP"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xuulib.dll	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xuulib.dll	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}\ = "xuulib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\TypeLib\ = "{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\TypeLib\ = "{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1\CLSID\ = "{D9661AF0-C190-497C-884A-D4CED14BB1E0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\ = "JetMimeFiltr Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\TypeLib\ = "{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\AppID = "{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}\1.0\ = "xuulib Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\ProxyStubClsid32\ = "{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\{E4BF93C1-D1E0-422E-82C1-8338FE72BA0B} = 7b00440039003600360031004100460030002d0043003100390030002d0034003900370043002d0038003800340041002d004400340043004500440031003400420042003100450030007d00	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CurVer\ = "Lexlibplugin.LexlibMimeFiltr.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\ = "xuulibA Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\ = "xuulibB Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\InprocServer32\ = "C:\\Windows\\SysWOW64\\xuulib.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CurVer\ = "xuulib.AClass.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\xuulib.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\TypeLib\ = "{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\VersionIndependentProgID\ = "xuulib.BClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\TypeLib\ = "{B8606A0A-9EA3-451C-89F6-E3D306F72FB9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ = "IJetMimeFiltr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\ProgID\ = "xuulib.BClass.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9661AF0-C190-497C-884A-D4CED14BB1E0}\ProgID\ = "xuulib.AClass.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ProxyStubClsid32\ = "{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B11DA719-6EFC-42A7-B03F-50FC32AA1B69}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ = "IJetMimeFiltr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7CFEC75-A194-43BA-9849-9D09A3E52ECA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B797D429-BF6D-4F31-A8CC-C8678E0AA5B8}\ProxyStubClsid32	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2712	3044	29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29f73ab6ffbf198271e38f48e18d33e1_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\regsvr32.exe
  .\regsvr32.exe /s xuulib.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xuulib.dll

Filesize
349KB

MD5
8b5ea4d800861e7dfb4bfcad593e8ca3

SHA1
ec5379f66dbc66afe09eaa7dc07bcba551f9739d

SHA256
50a04b093c8f05481eb672ebec0537f61e233071798d1f3b939e17e333b51795

SHA512
7a9cb045bb8b811254ff01d5389ec5e4a799ecde5441ddf0b35d52d524c2bfd142da8f5701ed88672fd451866f32cce7ca8c1d409153e7d71678e8a466fb1418

Download Submit