9064e64e75cd5fae3aa95397a33781a87095dbec26ee71c13735240b0860feba

Analysis

max time kernel
66s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
Size

519KB
MD5

9421464cf78b98c1b1a37142ad260fa2
SHA1

efd97543122d16fc4d89d61692ebb4d4cb02c0d5
SHA256

9064e64e75cd5fae3aa95397a33781a87095dbec26ee71c13735240b0860feba
SHA512

eeb2d0c565f1278c45aa95f31459e9cb2c1d096801a55b9269b5b44c2d746e4795ae7af3e9d9eae5b09acd8b4f2509de02c9e814d47579b325a4a40d9b7207ca
SSDEEP

12288:hkSrioegMlKSRcK7XpPhJoeQbOzST3PtCOckue:u2J8lTX7RXolqy

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{86EBD5B2-0796-49AD-AE08-846C3146D168}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oobe\lvhphwrbu.dll	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oobe\lvhphwrbu.dll	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\06d7d99657.dll	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\06d7d99657.dll	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dnabeser.dat	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oobe\9355\svchost.exe	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oobe\9355\svchost.exe	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPLORER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4a003100000000000d59dd8e10006f6f62650000360008000400efbeee3a881a0d59dd8e2a0000003b0e00000000010000000000000000000000000000006f006f0062006500000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvhphwrbu.VeeQbain\Clsid	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 56003100000000000d59da8e100053797374656d333200003e0008000400efbeee3a861a0d59da8e2a00000027090000000001000000000000000000000000000000530079007300740065006d0033003200000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5200310000000000e45857aa100057696e646f7773003c0008000400efbeee3a851ae45857aa2a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvhphwrbu.VeeQbain	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\ProgID\ = "lvhphwrbu.VeeQbain"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lvhphwrbu.VeeQbain\Clsid\ = "{86EBD5B2-0796-49AD-AE08-846C3146D168}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\ProgID	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4a003100000000000d59dd8e1000393335350000360008000400efbe0d59dd8e0d59dd8e2a000000c19401000000070000000000000000000000000000003900330035003500000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\InprocServer32\ = "C:\\Windows\\SysWow64\\oobe\\lvhphwrbu.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lvhphwrbu.VeeQbain\ = "ExpBandse"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\ = "ExpBandse"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
Token: SeDebugPrivilege	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2804	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2804	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2804	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2804	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	30
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 3024	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2756	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2756	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2756	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2756	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	33
PID 2864 wrote to memory of 1160	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	20
PID 2864 wrote to memory of 2052	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2052	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2052	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2052	2864	9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9421464cf78b98c1b1a37142ad260fa2_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\oobe\9355" /t /e /g everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Windows\system32\oobe\lvhphwrbu.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3024
- - C:\Windows\SysWOW64\EXPLORER.EXE
    EXPLORER.EXE /e,C:\Windows\system32\oobe\9355\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$306609.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$306609.bat

Filesize
182B

MD5
9f30835efceb8c536ec0f392e6694dac

SHA1
f6c70ef594e6b7786975cf5e907f61373f9d62ab

SHA256
f150b41daf4857667a0faa332523933c8a5e08910c81041b6712dcc4e417586e

SHA512
1e5a7d3852f4364de87243be4be44f00c5066d6e95ee59d1ca0b0129e329f1284f30e037b947392323fd296cf4540de2b70789b103f0295d3a2a804340e5dcae

Download Submit
C:\Windows\SysWOW64\06d7d99657.dll

Filesize
138B

MD5
ca98e9604aa990682185699f6eff8a11

SHA1
fa55e0f3f41d179470117124f42dd769261f24d2

SHA256
25e03464ec30a92f3104acba9743b64a08572a5089b90452f518b87e1ce7dcbd

SHA512
98a39a1e349594c3d0b1e8986426cda1ea93e66926376305011fffc0298e7a77a616852711b7b26c769fdec4812d8b86b3be29af648e8f6826401da7e985f7a1

Download Submit
C:\Windows\SysWOW64\oobe\lvhphwrbu.dll

Filesize
522KB

MD5
8ae9360934a504d6dee07a7434936015

SHA1
4737d47d7b46582e8c9f3390e64ca0309bfee24b

SHA256
24fe29186fe1019517ce323b9e37de4bb59e8ca71efe38a81550be202ce8a3a4

SHA512
4fd6f154c3ad7df892bca54946c28d287a3b8d1e11b07dfad07570fe5124163c5cbf5373e5b284c24fc0afdaebbea6ead1899ff2079cd18387f9837a354487eb

Download Submit
memory/1160-10-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2024-9-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2864-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2864-11-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2864-32-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3024-8-0x0000000000200000-0x0000000000288000-memory.dmp

Filesize
544KB

Download