Overview

overview

7

Static

static

3

42f3a1d26f...18.exe

windows7-x64

7

42f3a1d26f...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

1

$PLUGINSDI...sh.dll

windows10-2004-x64

1

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$TEMP/~nsi...86.dll

windows7-x64

1

$TEMP/~nsi...86.dll

windows10-2004-x64

3

Cloud-Web_2_86.dll

windows7-x64

6

Cloud-Web_2_86.dll

windows10-2004-x64

6

Cloud-Web_2_86.dll

windows7-x64

6

Cloud-Web_2_86.dll

windows10-2004-x64

6

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

1

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

1

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

3

Cloud-Web_...86.dll

windows7-x64

1

Cloud-Web_...86.dll

windows10-2004-x64

3

Cloud-Web_run.exe

windows7-x64

6

Cloud-Web_run.exe

windows10-2004-x64

6

Cloud-Web_run.exe

windows7-x64

6

Cloud-Web_run.exe

windows10-2004-x64

6

Cloud-Web_tb_2_86.dll

windows7-x64

1

Cloud-Web_tb_2_86.dll

windows10-2004-x64

1

Cloud-Web_tb_2_86.dll

windows7-x64

1

Cloud-Web_tb_2_86.dll

windows10-2004-x64

1

cloudidsvc.exe

windows7-x64

1

cloudidsvc.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42f3a1d26fb4dcbf86ffa3289aa3dc10_JaffaCakes118.exe

  • Size

    587KB

  • MD5

    42f3a1d26fb4dcbf86ffa3289aa3dc10

  • SHA1

    60b5c3a0ba32b79596fbc264b3df6f1818957ed9

  • SHA256

    2f14f9b66d7054613c2e84f70d04fd5cdb3b2c99ec7f72d14123feffcf6a8808

  • SHA512

    8d8abf9d08d872133519d468ff980682c88a47d9567372a5cc457ed8d743cfc8ff1ffe97c62be5a1bbcef59407d3a887b37d0eab0aae4129ba3fa7cd94951f51

  • SSDEEP

    12288:pab0pEkOM74sWha8LkW3kXcYWLBKMXLUa3oYViTeyJILJQ:4IjzrqLLkW3zBBNgqiSQ

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 32 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 28 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42f3a1d26fb4dcbf86ffa3289aa3dc10_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\42f3a1d26fb4dcbf86ffa3289aa3dc10_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_" /stop
      2⤵
      • Executes dropped EXE
      PID:2744
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_" /u
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2624
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:840
    • C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe
      "C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2356
  • C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe
    "C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Cloud-Web\Cloud-Web_run.exe
    Filesize

    127KB

    MD5

    cc2c7d2ca1d6a2100680f77b32a3ac2c

    SHA1

    f23dfeb12c78a44cb2d6191eb3f405a147ae6167

    SHA256

    875589feb35cbc36355d6ccf062e97fba77b94f102a7560b636aecda570457a9

    SHA512

    7f11137990210a5130bd48be37b1496a3ce835a88a047d026e10a3484035a9749faa7105f9fd4e1658e7f3f8447b6dc784b6d941cc6a56511f65bf553baff578

    Download Submit

  • C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240713.txt
    Filesize

    379B

    MD5

    aabcb8b5404edf03cf6024d61d6c1857

    SHA1

    e6d6a28cc3e3251d06dd4ca5be2da283eebd197d

    SHA256

    69ab3374ba65883c00016097ad11294b097460d7aca2ddd855193a87693fb76e

    SHA512

    0890ae876dbfa3e9bbab78a85828be784582c0375e38134c04dfbb53485575b5fdc1d14bf969d781a3ac193987dad70f42e341405920838b35c0acdfc8ebd4f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsj7A40.tmp\splash.jpg
    Filesize

    631B

    MD5

    d68e763c825dc0e388929ae1b375ce18

    SHA1

    7951a43bbfb08fd742224ada280913d1897b89ab

    SHA256

    25cf0f0ce42f8acd9ea6facc223f54105c7fd0cce63fb7bb5d83e6600100acbd

    SHA512

    1e146e2631a4f3bd091905ccc10ed1054700349648cd52aad24eaeeedff0fac4b44b6212284a6d0855942ff16308c66402ecb895e68ef1c66dcd496973043cdb

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_2_86.dll
    Filesize

    123KB

    MD5

    cd80e012b768c6fbfcf209a10bcfb2b2

    SHA1

    e1c01bd52be5861cd20696484c043a2b77d22222

    SHA256

    ee3ba8b64aeaacac397cd4fe81bd4433f23bf7b144a65c18034b1323e6e75c23

    SHA512

    d1cc91089165ef8507bd8bf21aa76d2373579e7e5e793ee72bd123b9bb8135e8d61272db79aa5d47f3848d8a2a54dd1c9a5b3892ba1f00cc4dc8e2367063f44a

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_mime_2_86.dll
    Filesize

    210KB

    MD5

    e03152320af546785839f21cefd28ce1

    SHA1

    7264e5753bb5313b9ceb69d05c15e000ed938559

    SHA256

    6807aee8007988c5409a947a526c187c66e349886399541454800ce2a99c2442

    SHA512

    93681775e96cb80b8cc4b89c788902f5070497c5a0120c0ba965c14e651ab3726387bc0d3f8feeaf315ae45bd7bf40bf37f1e2fd379b89bc812c9dd2fdfefb5e

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_tb_2_86.dll
    Filesize

    127KB

    MD5

    2f476c794155a6d41487ab48ca6091a8

    SHA1

    999d2036b8e6b4fb75db915e8fcd1447652c6816

    SHA256

    25fcf3cb6a01fa879cd8153ce826564505967049e9a66811c972a8384e320092

    SHA512

    f7c82513dcc6d6f09e0d7b634f2ff8d5fe6864fce05729a807a82150fb196666a355c19f01657a8628b3592d3d15c93dfe7ffee78816e9cfa441b52c4f47f91c

    Download Submit

  • \Program Files (x86)\Cloud-Web\cloudidsvc.ex_
    Filesize

    107KB

    MD5

    191d8246a87565d7291f8d518c60912e

    SHA1

    45cf9834d3930b1b91e075999c44dd143bcc5a4d

    SHA256

    9ae3b2a05985b28b28439b667b26f3bb2543f7ac757ca0187beacd67dd898b37

    SHA512

    208c2312317e776e6c63e7fe5504178142be6fcee03df00b392b249db529cb55b94974465d7282331f6dec096821208046b2ad462e66e8b9d2c7b13df12d7846

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj7A40.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj7A40.tmp\newadvsplash.dll
    Filesize

    8KB

    MD5

    7ee14dff57fb6e6c644b318d16768f4c

    SHA1

    9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce

    SHA256

    53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7

    SHA512

    0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj7A40.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    8f4ac52cb2f7143f29f114add12452ad

    SHA1

    29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

    SHA256

    b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

    SHA512

    2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsis\Cloud-Web_nad_2_86.dll
    Filesize

    551KB

    MD5

    10b188c019ba9e23fec9b06f272c3438

    SHA1

    5c50e3ce77935a3ef6a2679bccf9a228f4d42eef

    SHA256

    90d999d46e21356297a1ca84ffe5e94e3e29d767437d4e805950dc2250269b8a

    SHA512

    018bdf75222bf7ce2edefcc9cf896658b2e7f63ef8cf7f2497c5145935d9b59591fec37dc9fb0c4801681d3d6178aa07a400fef88527119eb8366f8ca35ec00a

    Download Submit

  • memory/2700-49-0x0000000003210000-0x000000000322F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2700-53-0x0000000003210000-0x0000000003230000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2700-56-0x0000000003EC0000-0x0000000003F4D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/2700-13-0x0000000000480000-0x000000000050D000-memory.dmp

    Filesize

    564KB

    Download