a7924e618d851ab96123cc61f81ed51801ba0f3b23860b553b65a43fb6df43d2

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a024e5422d6dc19da41182fdfa017a7_JaffaCakes118.dll
Size

124KB
MD5

4a024e5422d6dc19da41182fdfa017a7
SHA1

a15dfc3f61f55a3fd25fe158dad9e965a767a32a
SHA256

a7924e618d851ab96123cc61f81ed51801ba0f3b23860b553b65a43fb6df43d2
SHA512

0a066aafc2193bcb4ab294b9af0956dd1de59415b1c2375099dc892318036239650712908abfa529b6b54a1ae8fe818488455e10e0faa6184a30c22119f7256d
SSDEEP

3072:p+7xJ5aDQIi+jV2n7WyZuCk1vnf4o4dQ:o5ZCjVktZuMd

Score

7^/10

adware evasion stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3068	SQH4DHFEY.EXE
2860	ScandalScandal.exe
2744	ScandalScandal.exe

Loads dropped DLL 4 IoCs

pid	Process
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SQH4DHFEY.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini	ScandalScandal.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini	ScandalScandal.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AxisImplicit\VandalizeDissonant.exe	ScandalScandal.exe
File created	C:\Program Files\RailPageant\HarridanPreside.exe	ScandalScandal.exe
File opened for modification	C:\Program Files\RailPageant\HarridanPreside.exe	ScandalScandal.exe
File created	C:\Program Files\AxisImplicit\VandalizeDissonant.exe	ScandalScandal.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ZAYUOZBIDUJF.dll	SQH4DHFEY.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4a024e5422d6dc19da41182fdfa017a7_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE
3068	SQH4DHFEY.EXE
2860	ScandalScandal.exe
2860	ScandalScandal.exe
2744	ScandalScandal.exe
2744	ScandalScandal.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 904 wrote to memory of 1964	904	regsvr32.exe	30
PID 1964 wrote to memory of 3068	1964	regsvr32.exe	31
PID 1964 wrote to memory of 3068	1964	regsvr32.exe	31
PID 1964 wrote to memory of 3068	1964	regsvr32.exe	31
PID 1964 wrote to memory of 3068	1964	regsvr32.exe	31
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2704	3068	SQH4DHFEY.EXE	32
PID 3068 wrote to memory of 2860	3068	SQH4DHFEY.EXE	34
PID 3068 wrote to memory of 2860	3068	SQH4DHFEY.EXE	34
PID 3068 wrote to memory of 2860	3068	SQH4DHFEY.EXE	34
PID 3068 wrote to memory of 2860	3068	SQH4DHFEY.EXE	34
PID 3068 wrote to memory of 2744	3068	SQH4DHFEY.EXE	35
PID 3068 wrote to memory of 2744	3068	SQH4DHFEY.EXE	35
PID 3068 wrote to memory of 2744	3068	SQH4DHFEY.EXE	35
PID 3068 wrote to memory of 2744	3068	SQH4DHFEY.EXE	35

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4a024e5422d6dc19da41182fdfa017a7_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4a024e5422d6dc19da41182fdfa017a7_JaffaCakes118.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\SQH4DHFEY.EXE
    "C:\SQH4DHFEY.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Windows\ZAYUOZBIDUJF.dll"
      4⤵
      Modifies registry class
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\ScandalScandal.exe
      "C:\Users\Admin\AppData\Local\Temp\ScandalScandal.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\ScandalScandal.exe
      C:\Users\Admin\AppData\Local\Temp\ScandalScandal.exe
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SQH4DHFEY.EXE

Filesize
92KB

MD5
4a42fb37d4df3f030a5d35a2b11b1633

SHA1
3f9e3a4508bcc97d6b34480b720868c36e60b883

SHA256
ec63e163ba62ab91e83d2bb8c9fe2c7122a6afae66303321fb617b77e90e50d8

SHA512
9687b6d0d9ca2f1fcf0fdd1468998e7b3dc0b17d3ff26ff685236f9f199ab5d7fe2eba3d2f8904c15f56ce7239cfe45a383da03e3f44c478004345d109572ce8

Download Submit
C:\Windows\ZAYUOZBIDUJF.dll

Filesize
124KB

MD5
4a024e5422d6dc19da41182fdfa017a7

SHA1
a15dfc3f61f55a3fd25fe158dad9e965a767a32a

SHA256
a7924e618d851ab96123cc61f81ed51801ba0f3b23860b553b65a43fb6df43d2

SHA512
0a066aafc2193bcb4ab294b9af0956dd1de59415b1c2375099dc892318036239650712908abfa529b6b54a1ae8fe818488455e10e0faa6184a30c22119f7256d

Download Submit
\Users\Admin\AppData\Local\Temp\ScandalScandal.exe

Filesize
28KB

MD5
6697555ead62e6b9fb71a0ffb6d62992

SHA1
55b57b52fe0d4af8716db57a98ab011b1dbe4181

SHA256
683a7e3bc4e63ba70bf88c23ae895109d19fc02c9d084ddd759a5569b56d2cd6

SHA512
36b7c24cbc5cef1ea6cca65c2054e3baae7096932bbb2caa4857d4f324407fe5a92e610d7baf979dfa881d82f9c99c74037b774967cd5d31af5a120bd9eefdf8

Download Submit