5835bce4e7a52ed636b94d5ad69731123f3e1f1684b3fd9bd8fe187dbbf7721c

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
Size

284KB
MD5

eabd97d624ebef7809e50afcb50793fb
SHA1

d8524612eca39a85fefb93f20500887d086ba2cd
SHA256

5835bce4e7a52ed636b94d5ad69731123f3e1f1684b3fd9bd8fe187dbbf7721c
SHA512

33cb6c2185d7345d4a0b5eba9097fb041185ffc9f8443733a5541c707e3b90be98f4e1b2c259b8c0195f1353fd742a1f007ebc9845a8ac05567447c80e7a111d
SSDEEP

6144:pTfFmbRnOTr085p8mkJKriGjpWsaBtiaG+6alaBT/:vcOc85pEGWiaG+6alaJ

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4500	wybho.exe

Loads dropped DLL 1 IoCs

pid	Process
4580	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEC40E14-C890-407E-92E6-63471580C379}	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEC40E14-C890-407E-92E6-63471580C379}\NoExplorer = "1"	Regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wybho.dll	wybho.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\__tmp_rar_sfx_access_check_240622140	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\1.vbs	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\wybho.exe	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\9ptv.ico	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\77zb.ico	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\77zb.ico	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\wybho.exe	wybho.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\1.vbs	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\wybho.exe	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\9ptv.ico	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\taobao.ico	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\taobao.ico	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wybho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 53 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\0	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CLSID\ = "{BEC40E14-C890-407E-92E6-63471580C379}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\ProgID\ = "WYBHO.wybhotool.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\FLAGS\ = "0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\HELPDIR\ = "C:\\Windows\\system32"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\ = "Iwybhotool"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\TypeLib\Version = "1.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\ = "Iwybhotool"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\ProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\CLSID\ = "{BEC40E14-C890-407E-92E6-63471580C379}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\TypeLib\Version = "1.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\ = "wybhotool Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\TypeLib\ = "{013E7B5A-B4B9-4829-A433-74AF62F161F9}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\HELPDIR	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\ = "wybhotool Class"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CurVer	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\COMMAND	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\VersionIndependentProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\ = "WYBHO 1.0 Type Library"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OPENHOMEPAGE	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\ = "wybhotool Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\Programmable	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\0\win32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\VersionIndependentProgID\ = "WYBHO.wybhotool"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CurVer\ = "WYBHO.wybhotool.1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEC40E14-C890-407E-92E6-63471580C379}\TypeLib\ = "{013E7B5A-B4B9-4829-A433-74AF62F161F9}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013E7B5A-B4B9-4829-A433-74AF62F161F9}\1.0\FLAGS	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL\OPENHOMEPAGE\COMMAND	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\TypeLib\ = "{013E7B5A-B4B9-4829-A433-74AF62F161F9}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A21BAA9A-25E1-4EDB-B916-2DC8A8E7EC2D}	Regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4500	wybho.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2704	WScript.exe
2704	WScript.exe
2704	WScript.exe
2704	WScript.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2704	WScript.exe
2704	WScript.exe
2704	WScript.exe
2704	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4500	wybho.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4500	964	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe	82
PID 964 wrote to memory of 4500	964	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe	82
PID 964 wrote to memory of 4500	964	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe	82
PID 964 wrote to memory of 2704	964	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe	83
PID 964 wrote to memory of 2704	964	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe	83
PID 964 wrote to memory of 2704	964	eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe	83
PID 4500 wrote to memory of 4580	4500	wybho.exe	84
PID 4500 wrote to memory of 4580	4500	wybho.exe	84
PID 4500 wrote to memory of 4580	4500	wybho.exe	84

C:\Users\Admin\AppData\Local\Temp\eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabd97d624ebef7809e50afcb50793fb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files (x86)\Internet Explorer\wybho.exe
  "C:\Program Files (x86)\Internet Explorer\wybho.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32.exe /s "C:\Windows\system32\wybho.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Internet Explorer\1.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\1.vbs

Filesize
5KB

MD5
27d181dd2b71f896abdfb69966e49246

SHA1
c388d6ebf9d23d9e545a829077dbe1447be53fd0

SHA256
b4fa8439b6c293ddb1b2acce84a6895d9d2031b3e7d572663a7b117bad8da32d

SHA512
671bc6cb16043d9c04700dac3f1e1b2cf5a268e17eba332dd57c31c1e86330461e43fc7d65f40cda5eaaa9b70688b4f9a2f0d367cded64b8cba3439627e75e4f

Download Submit
C:\Program Files (x86)\Internet Explorer\wybho.exe

Filesize
198KB

MD5
6a7b4162469a71bd1841db99911ef3b9

SHA1
33ccae74a1680f9072fb806c0e64435ae4cb21cc

SHA256
a51e3206b7e222258e24f96d9cd20d175c84356591e3c0fe5488f89e60fdca28

SHA512
1cd93d15bcf5bd0a7d445b3c5527ea8241d2fd492fdc829140d5c6fb4973b641962b83bfbaa34b95cc84e0f87b136ec9787dde868a8ebfcfa052c6927bfdecb1

Download Submit
C:\Windows\SysWOW64\wybho.dll

Filesize
170KB

MD5
6745c069b4bec1776e4e5d4f5addeeba

SHA1
3c2d832aa5efef89777baaea48b9eafd3d4b7787

SHA256
1de37494565e117d1cc3996ded0ddbe06535cd8d3787a64574dde22719fea17a

SHA512
a70b84fdefc86e3508104f70c81281e4b6a7a96443d381f2cec5a43e671ce07248da1551e3601afc93513bc9a4857782cf7a9788dd3ac6287cedc40a9a0fef65

Download Submit
memory/964-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download