Overview
overview
7Static
static
3959901e9b3...18.exe
windows7-x64
3959901e9b3...18.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3Puzzle_Blast.exe
windows7-x64
7Puzzle_Blast.exe
windows10-2004-x64
7bass.dll
windows7-x64
3bass.dll
windows10-2004-x64
3mysearch.exe
windows7-x64
7mysearch.exe
windows10-2004-x64
7Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 09:53
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
959901e9b3c67ab6ce4cb9d39da0b0aa_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
959901e9b3c67ab6ce4cb9d39da0b0aa_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral5
Sample
Puzzle_Blast.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral6
Sample
Puzzle_Blast.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral7
Sample
bass.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
bass.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
mysearch.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
General
-
Target
mysearch.exe
-
Size
312KB
-
MD5
49f799c24707ba2933989f2447f732f7
-
SHA1
d3fbc5ce62a374b4519419ceddade4c6277f8c0d
-
SHA256
b2a164564f7882cced37eb1b712254ed13b07aa91b2b351946176f15192e1cce
-
SHA512
710de1d58b7fa68e1cddd902faa7272b933558523d20abab89958f6c13fb4a0ea66439a3058d9de8fd31304c5316c4a6b8dfc196900abbb13ef36ddac08b6288
-
SSDEEP
6144:3+bkpRwTJ5e6T9DdqbPaPowUxJMX6vnNcB1ZiRoKRU:7Ue6TiaUNnW1wRl2
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2836 mysearch.exe 2836 mysearch.exe 2836 mysearch.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10} mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\ = "My Search BHO" mysearch.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\MySearch\bar\1.bin\S4FFXTBR.MANIFEST mysearch.exe File created C:\Program Files (x86)\MySearch\bar\1.bin\S4NTSTBR.JAR mysearch.exe File created C:\Program Files (x86)\MySearch\bar\1.bin\S4PLUGIN.DLL mysearch.exe File opened for modification C:\Program Files (x86)\MySearch\bar\1.bin\NPMYSRCH.DLL mysearch.exe File created C:\Program Files (x86)\MySearch\bar\1.bin\NPMYSRCH.DLL mysearch.exe File created C:\Program Files (x86)\MySearch\bar\1.bin\S4BAR.DLL mysearch.exe File opened for modification C:\Program Files (x86)\MySearch\bar\1.bin\S4FFXTBR.JAR mysearch.exe File created C:\Program Files (x86)\MySearch\bar\1.bin\S4FFXTBR.JAR mysearch.exe File opened for modification C:\Program Files (x86)\MySearch\bar\1.bin\S4BAR.DLL mysearch.exe File opened for modification C:\Program Files (x86)\MySearch\bar\1.bin\S4FFXTBR.MANIFEST mysearch.exe File opened for modification C:\Program Files (x86)\MySearch\bar\1.bin\S4NTSTBR.JAR mysearch.exe File opened for modification C:\Program Files (x86)\MySearch\bar\1.bin\S4PLUGIN.DLL mysearch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mysearch.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{014DA6C9-189F-421a-88CD-07CFE51CFF10} mysearch.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32\ = "C:\\Program Files (x86)\\MySearch\\bar\\1.bin\\S4BAR.DLL" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib\Version = "1.0" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin.1\CLSID mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib\Version = "1.0" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\InprocServer32 mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}\VersionIndependentProgID\ = "MySearchToolBar.ToolbarPlugin" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.SettingsPlugin\CLSID\ = "{014DA6CB-189F-421a-88CD-07CFE51CFF10}" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\MiscStatus mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\MiscStatus\ = "0" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}\TypeLib mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\ = "My Search BHO" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.SettingsPlugin\ = "My Search Settings Plugin" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\TypeLib\ = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}\ = "My Search Toolbar Plugin" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0 mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\0\win32 mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib\Version = "1.0" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\Programmable mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\InprocServer32\ThreadingModel = "Apartment" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\InprocServer32\ThreadingModel = "Apartment" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin.1\CLSID\ = "{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin\CurVer mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib\ = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32 mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\TypeLib\ = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.SettingsPlugin.1\CLSID\ = "{014DA6CB-189F-421a-88CD-07CFE51CFF10}" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.SettingsPlugin mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\ProgID mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10} mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.SettingsPlugin\CurVer\ = "MySearchToolBar.SettingsPlugin.1" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID\ = "MySearchToolBar.SettingsPlugin" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\TypeLib mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin.1 mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}\ProgID\ = "MySearchToolBar.ToolbarPlugin.1" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\0 mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10} mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\Programmable mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC} mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\TypeLib mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\ProgID\ = "MySearchToolBar.SettingsPlugin.1" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32 mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib\Version = "1.0" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}\InprocServer32\ = "C:\\Program Files (x86)\\MySearch\\bar\\1.bin\\S4BAR.DLL" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\FLAGS\ = "0" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\Version mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\Version\ = "1.0" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10} mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin\CurVer\ = "MySearchToolBar.ToolbarPlugin.1" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}\ProgID mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32 mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.SettingsPlugin\CLSID mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin\ = "My Search Toolbar Plugin" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin\CLSID\ = "{FAC94900-96D9-47fa-BA33-7EF1BBFBBCEC}" mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib\ = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10} mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ = "IMySearchSettings" mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\TypeLib mysearch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MySearchToolBar.ToolbarPlugin mysearch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" mysearch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mysearch.exe"C:\Users\Admin\AppData\Local\Temp\mysearch.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD55501b5811411ef10e81af41b84d41e97
SHA13c8c1c4ae102fdc9b4d6c219c0f281a0abf74420
SHA256fc7b430506ad50d9f91199eafa387a8907c7f23d0c96dfe0ca59ee8778ff6628
SHA512a2a5a357038d4dfad1b3bc9a937bb0f550321f75c92d5eb82f8119b5bcb6d8cfe513bf0037a5440dcc3a2954616b7058e8a59c3ec676afa200fab738f96208ca
-
Filesize
212KB
MD58418c946cacde620027169f202ed535c
SHA15f0351041460c1871277a5958dfb138c8a7ff568
SHA256bf25b62a491ee5ef22ba7a6e1c450cd4011c7e405a0d6fcfdb2502a211e02dcc
SHA512086baffc053b23e4ebb0244491b6c7185857646b0e07a78e8b11274545508ff384d922589179d62b1a690de9645e357a4f012ee8ee95b6b8446027acc5a4880c
-
Filesize
44KB
MD578258bfc459a0128d9a7b51c9aab5183
SHA1c53821e971d90f81a5883f8900ea02df2aff71a6
SHA2568352c79e5813eb1f21035e0ab212e0454ad0b4def8c78ee23ce8318c81676490
SHA512f05b4339c72e299a5a3be99e093965c7117f39b37590865fb48b38f78bf160b1c0dbe1105c654fce5791307892ce8f272826ad6a6741fe8b327edddd81bab43d