06a2c295a3b3c1c7c72e6ad3b3b1f040a3dc5edf43031caaa2eee35f9edf9358

Analysis

max time kernel
138s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
Size

561KB
MD5

68c66a99db1e44c5aab1d4ac940cc3fa
SHA1

c3a3b367eaa55c520734105335dc7622c878d62c
SHA256

06a2c295a3b3c1c7c72e6ad3b3b1f040a3dc5edf43031caaa2eee35f9edf9358
SHA512

afe62e9622030a1aa30333a7c460ba0654306889605f7540c37964bfb0b3f7d3d754f632d02fd32e8c696cc9669ce2220befd3d360872f9409f71267d8fafd7d
SSDEEP

12288:63LtZ+cURBBRrTs1Y/uewZnKGiHY+mR9+rlj8e3kmMarv+EVQzxNsc5X:KtZ+cUfBRcYiFKbHYx3G8e3tMarzQr

Score

7^/10

adware aspackv2 discovery stealer

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023508-6.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
4752	regsvr32.exe
4752	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\e6e3bbd21a.dll	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dnabeser.dat	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\usmt\3368\svchost.exe	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\usmt\3368\svchost.exe	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\e6e3bbd21a.dll	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\usmt\imczoavey.dll	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\usmt\imczoavey.dll	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPLORER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\imczoavey.QExpTul	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4e00310000000000f7586da2100075736d7400003a0009000400efbef7586da2f7586da22e0000005534020000000a00000000000000000000000000000052395600750073006d007400000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}\ = "Explore.Tp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\imczoavey.QExpTul\Clsid\ = "{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}\ProgID	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000f7586ca2100053797374656d33320000420009000400efbe874f7748f7586ca22e000000b90c00000000010000000000000000000000000000001f8c7300530079007300740065006d0033003200000018000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}\ProgID\ = "imczoavey.QExpTul"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\imczoavey.QExpTul\Clsid	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}\InprocServer32\ = "C:\\Windows\\SysWow64\\usmt\\imczoavey.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5600310000000000e9589c73100057696e646f777300400009000400efbe874f7748f7586da22e00000000060000000001000000000000000000000000000000d7d54600570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4e00310000000000f7586da210003333363800003a0009000400efbef7586da2f7586da22e0000005734020000000a000000000000000000000000000000bf4b69003300330036003800000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\imczoavey.QExpTul\ = "Explore.Tp"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2292	explorer.exe
2292	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4460	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	88
PID 2616 wrote to memory of 4460	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	88
PID 2616 wrote to memory of 4460	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	88
PID 2616 wrote to memory of 4752	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	90
PID 2616 wrote to memory of 4752	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	90
PID 2616 wrote to memory of 4752	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	90
PID 2616 wrote to memory of 3792	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	93
PID 2616 wrote to memory of 3792	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	93
PID 2616 wrote to memory of 3792	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	93
PID 2616 wrote to memory of 2316	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	98
PID 2616 wrote to memory of 2316	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	98
PID 2616 wrote to memory of 2316	2616	68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68c66a99db1e44c5aab1d4ac940cc3fa_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Windows\system32\usmt\3368" /t /e /g everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\system32\usmt\imczoavey.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4752
- C:\Windows\SysWOW64\EXPLORER.EXE
  EXPLORER.EXE /e,C:\Windows\system32\usmt\3368\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$306609.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$306609.bat

Filesize
182B

MD5
6a4ae4e5455311c22f32e44a57d5b986

SHA1
3c9b6e1eaf7051db207a0dd21dc2ea22b0943151

SHA256
b44c09df556d2b872d0773188c169569c41a5159ec04907192fd47e3a12170de

SHA512
f36c4872d0f1959fe848efec0227e1fb6105375f2b19edd484ff9e77bd2ab08695ca242fcb270e722e2d88696e3c8967c133c7317e74e11b4b625d1078f72918

Download Submit
C:\Windows\SysWOW64\e6e3bbd21a.dll

Filesize
138B

MD5
858453df9f337a4a24ae872e8fcf7678

SHA1
681461c9944f02677935554644f0530cfb94630f

SHA256
420791578e643d743639d93cdea23f32e85d08a71ed76ee54167274c78a3bf71

SHA512
97ca4afde70a6b71172a20a8fc8164d45bc58eb0cd17d00bf8df49ea4a7b900d092e2468bd23627e31b5480e9113dcadfd43c2b3e1f4764c06ba423b494438c8

Download Submit
C:\Windows\SysWOW64\usmt\imczoavey.dll

Filesize
280KB

MD5
04a9f33312e0f3ecac1ee2f0e4beab04

SHA1
f3792b49396fc3cbe041999234c4c544aeeee4da

SHA256
a709fcf49b60c46bde08c97c3295055ef1dccbae1d6453cc32e0d4c20072a656

SHA512
d3ccc493f67f5603e182344a9d22ff546f016bb50b63c4b980aec2f2c993d78e68fa249676e552063943790184d3b90fe72bce1082965e337592b4407d9269f4

Download Submit
memory/2616-0-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2616-24-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download