a92de038269e83be5f2fbd778f27d396916dc26efaac325d4ddf3c649b2493c3

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
Size

668KB
MD5

93cdadcc600a9c71af6a9cfe42f922da
SHA1

1da90aeac5f045dfdcb83a3052227915d8dd8a87
SHA256

a92de038269e83be5f2fbd778f27d396916dc26efaac325d4ddf3c649b2493c3
SHA512

63d293d95bb1a9ef6ca36d6a0d70fffa190d727422bd918c6fb7bbc52c1f0b805c8fffb358cd0f74ad7ad2a09cbea60f8054977c0d6c95eb78ea7bf7a054a418
SSDEEP

12288:90/T74fB5YGX41MfXn90OmWgVIvtEtxsUpCZifJfB0YwjtN:W/T7Y5+MfX6WgxQuWe9BKj

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	Update.exe

Loads dropped DLL 5 IoCs

pid	Process
1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
1684	Update.exe
1684	Update.exe
1684	Update.exe
2692	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1"	Update.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\system\direct32res.dll	Update.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp	Update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25\Visible = "0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MAO Settings	Update.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "FlashPlayer.Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\ = "FlashPlayer.Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\system\\direct32res.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ = "_Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\system\\direct32res.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\ = "{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\ = "FlashPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\system"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "FlashPlayer.Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ = "Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ = "_Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\ = "{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501\Blob = 0300000001000000140000002740be0cb97a22380960230e8f45fe5abb8bb50120000000010000004e0200003082024a308201b3a0030201020210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d01010405003030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303039204341301e170d3939303933303136303030305a170d3336303731363136303030305a3030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e67203230303920434130819f300d06092a864886f70d010101050003818d0030818902818100ac35c135556bfbe9aa23267d193307a3d21e3c3975848ed762eea3ac46b3c2f219ee14aaef982c692a53c3a930f5b96bed2665d352e97a4f466b46585a0badd07e8302cf2758082a709ccceda363371e975a3ddbd22c393f86838e8e28300db13ccb51b2a27362fa5704458d31700b7979c3f553daa841d25c1b80eba3055f350203010001a365306330610603551d01045a3058801012b5fcd50cba242caede5742b3d426fca1323030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e6720323030392043418210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d0101040500038181001ec29560ca4e3b696815d43a65d7d3c05fb597f979d8f31c07820b06ec6d72e199321111165afec24e065c7cfe436e07aaa1a7958a7d588bb6f072fed284984bf632390e0452bb49faaac5b7a19662fc15d3884e8c1ca2fd6401289183ecc161520c79e3ba53e1cc5fca9726cf8cd6f93efca2f5a63d91f80f6ab91df0fb9f24	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1684	Update.exe
Token: SeBackupPrivilege	1684	Update.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
1684	Update.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1476 wrote to memory of 1684	1476	93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2692	1684	Update.exe	30
PID 1684 wrote to memory of 2692	1684	Update.exe	30
PID 1684 wrote to memory of 2692	1684	Update.exe	30
PID 1684 wrote to memory of 2692	1684	Update.exe	30
PID 1684 wrote to memory of 2692	1684	Update.exe	30
PID 1684 wrote to memory of 2692	1684	Update.exe	30
PID 1684 wrote to memory of 2692	1684	Update.exe	30

C:\Users\Admin\AppData\Local\Temp\93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93cdadcc600a9c71af6a9cfe42f922da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  C:\Users\Admin\AppData\Local\Temp\Update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Common Files\system\direct32res.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\system\direct32res.dll

Filesize
139KB

MD5
d24d52d9bf629e1029c9219c26c93350

SHA1
8c6c5f8c32408b9807b0d16cd76709a393ac56f8

SHA256
b4ac66370305f2ad453fce9b34c2ce3e88010151b843d578b6eb51519fd463cd

SHA512
3db217730f50d291345dc1cb4e761721054b2a924b0c54b808aac87c154858fbfd843f891ec924350b474928ca6769c32ce8fa5493e1565676ce74ce54162599

Download Submit
\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
171KB

MD5
805c26bc39f68d78c52074e40e519140

SHA1
a9b44c432bc59f04974642aaa20eb0b1d23ba58c

SHA256
771eca87e288cdde72b4ff1bc8aff033a6cc4533419374307d9e005500a1e230

SHA512
6d8d488bf2efb614db43fa1962f417afc373906105a23f065105e62ab09d821271a91476d3677ecdbf37b98a3e0e5d2a354b10b0dac9d87e86f8c4fc5710474c

Download Submit
memory/1476-2-0x0000000002C10000-0x00000000036CA000-memory.dmp

Filesize
10.7MB

Download
memory/1476-17-0x0000000004DC0000-0x0000000005E22000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads