525c681989f7972c61e681916f66813cfda6c7582d94518c81feab44bd87cb18

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 13:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Size

28KB
MD5

396bc25c0b1ff88010afc43f6c780dc0
SHA1

45e61770e43b82038094a0b3a48289d747d305a2
SHA256

525c681989f7972c61e681916f66813cfda6c7582d94518c81feab44bd87cb18
SHA512

08b9e5ad02b838a62d235168058ccf8a42873566bf59ab9f7a149c71da688814eecb0c276d2ed4ace6e684d8e8606e41d44351db41e09749d4557964e915efea
SSDEEP

768:UASzs0W71gYRBshcgJarkkqTl4I6HVWQ4:ed2mskZaI6HVWQ

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001227c-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2680	iebtmm.exe

Loads dropped DLL 3 IoCs

pid	Process
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001227c-1.dat	upx
behavioral1/files/0x0009000000016d6c-5.dat	upx
behavioral1/memory/2680-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2680-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}\	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ieextend.com/redirect.php"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.qwertysrch.com/index.php?b=1&t=0&q={searchTerms}"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Search	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}\www = "www"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}\InprocServer32	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iebt.dll"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BD44AB1-76A7-4E05-92F4-4B065FE72BD6}\InprocServer32\ThreadingModel = "Apartment"	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe
1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
2680	iebtmm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2648	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2648	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2648	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2648	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2680	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2680	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2680	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2680	1628	396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\396bc25c0b1ff88010afc43f6c780dc0_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
  C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\iebt.dll

Filesize
8KB

MD5
c76406cb18c7f93b30e58f79918cdf7e

SHA1
3596f7432fc9bfb3883289ed8c89390d4d5b1bd7

SHA256
bbf65e7120e9815ff6805c80990c9d1eadd6346643e7b76367539b04031f78ab

SHA512
ee2f155c022afab33e6d79fa5661bd6cc599ab30094f637aeac3f0e20bcbfe7ae139599217ef312052575e7cce320eaf23dc08ecf5e7516886ae440553e2415f

Download Submit
\Users\Admin\AppData\Local\Temp\iebtmm.exe

Filesize
5KB

MD5
e311db7ac7efd73d36ea0a374a828d45

SHA1
b8361f95029a80e77732a41f572f67fdebfead23

SHA256
49e34d15ddc53ecffc38bc5ad4202ad6d68eb6c27e95d1fff924e2cd7d05cdaa

SHA512
d7479392025fd4327d52b4d12187c787b6718deca38eefa4924a2615c42ec9409ee2d1f4255a2f404c457ded67028c6f83de7ad2fbc3fd00178609b48385cdd1

Download Submit
memory/1628-3-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1628-13-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1628-12-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1628-17-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1628-18-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1628-19-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2680-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2680-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download