d568c62e8c9f52e03c50b6309815d03f12dbbaba46b948acd769f10aa181070a

Analysis

max time kernel
130s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
Size

46KB
MD5

a5f36f4bd449a249562398e766106df2
SHA1

8f325fd10787fee56651e085bd1c0c393c809663
SHA256

d568c62e8c9f52e03c50b6309815d03f12dbbaba46b948acd769f10aa181070a
SHA512

257ff325f06c886c5aaa4ab957d1125b4613cee0463b64463dd7fd1e1638296e6da5878915b8595b07c1385e458fb4b7ec5b384ccc8769e9ab07d43813414985
SSDEEP

768:VLi0NnqrjIcGA+9H5MQO7BUdLOyOLm/Cb5vTOc74Hpyfogpty2uhNqFeTCL:ViHIcz+j0W2QA5v974JyZuC

Score

7^/10

adware discovery evasion stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1576	JambSalutary.exe
2632	JambSalutary.exe

Loads dropped DLL 1 IoCs

pid	Process
3184	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	JambSalutary.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	JambSalutary.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\ImplicitAxis\RailKnocker.exe	JambSalutary.exe
File created	C:\Program Files\ImposeKnocker\ImposeImplicit.exe	JambSalutary.exe
File opened for modification	C:\Program Files\ImplicitAxis\RailKnocker.exe	JambSalutary.exe
File opened for modification	C:\Program Files\ImposeKnocker\ImposeImplicit.exe	JambSalutary.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ZAYUOZBIDUJF.dll	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JambSalutary.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JambSalutary.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32\ = "C:\\Windows\\ZAYUOZBIDUJF.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ = "C:\\Windows\\ZAYUOZBIDUJF.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32	regsvr32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
1576	JambSalutary.exe
1576	JambSalutary.exe
2632	JambSalutary.exe
2632	JambSalutary.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3184	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	94
PID 392 wrote to memory of 3184	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	94
PID 392 wrote to memory of 3184	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	94
PID 392 wrote to memory of 1576	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	98
PID 392 wrote to memory of 1576	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	98
PID 392 wrote to memory of 1576	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	98
PID 392 wrote to memory of 2632	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	99
PID 392 wrote to memory of 2632	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	99
PID 392 wrote to memory of 2632	392	a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5f36f4bd449a249562398e766106df2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\ZAYUOZBIDUJF.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\JambSalutary.exe
  "C:\Users\Admin\AppData\Local\Temp\JambSalutary.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\JambSalutary.exe
  C:\Users\Admin\AppData\Local\Temp\JambSalutary.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ImposeKnocker\ImposeImplicit.exe

Filesize
46KB

MD5
a5f36f4bd449a249562398e766106df2

SHA1
8f325fd10787fee56651e085bd1c0c393c809663

SHA256
d568c62e8c9f52e03c50b6309815d03f12dbbaba46b948acd769f10aa181070a

SHA512
257ff325f06c886c5aaa4ab957d1125b4613cee0463b64463dd7fd1e1638296e6da5878915b8595b07c1385e458fb4b7ec5b384ccc8769e9ab07d43813414985

Download Submit
C:\Users\Admin\AppData\Local\Temp\JambSalutary.exe

Filesize
28KB

MD5
6697555ead62e6b9fb71a0ffb6d62992

SHA1
55b57b52fe0d4af8716db57a98ab011b1dbe4181

SHA256
683a7e3bc4e63ba70bf88c23ae895109d19fc02c9d084ddd759a5569b56d2cd6

SHA512
36b7c24cbc5cef1ea6cca65c2054e3baae7096932bbb2caa4857d4f324407fe5a92e610d7baf979dfa881d82f9c99c74037b774967cd5d31af5a120bd9eefdf8

Download Submit
C:\Windows\ZAYUOZBIDUJF.dll

Filesize
78KB

MD5
ace39935dcfff2855df95edca1d090bd

SHA1
3412e25590d85688488a3c9fd82722b6b39fe478

SHA256
f9b6eae623a7d235c70e022b587723e9003c26db88198f41ab8674768a1abcaa

SHA512
72d548107504ca55e41f7e10c5e7f41ba5e628fccaad342f80ab5792e4436d711a3994c46086bbe1210ee8d73c1187da8858a9f39c7e204f5e822c4a483ec4c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads