6980ae0a926e38f407e78c7ddf3ccab3bad157ec08c25b5c8c9c1d5cab7a6ea8 | Triage

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 22:23 UTC

Sharing

Report Analysis Logs

General

Target

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Size

10KB
MD5

f0ba467f6eafd29d1dd2e0b56568116a
SHA1

04cdcbfe3ea5f5ca08343760291b4611b317c790
SHA256

6980ae0a926e38f407e78c7ddf3ccab3bad157ec08c25b5c8c9c1d5cab7a6ea8
SHA512

891d77cf3546ad1aa6b7e649bfa4059cf1986e5046820f672b28e6fa872fd5465fa5c7d4f75e9d72337dc2abe4de156276dd0c10e921c39d7868753a0aaa4492
SSDEEP

192:toeYAHdr/M9LWgbdcp6YpF8GT3F4bEXL4t/BKuflLj+TV3mUuzx5vpM1AD8fifFC:tdVdr/M+p6u8Q4wXYZKudn+5mx5+1AQv

Score

10^/10

adware evasion stealer trojan

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Windows security bypass 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

Modify Registry

Browser Extensions

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://www.google.com/ie"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://www.google.com/ie"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://www.google.com"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.google.com"	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3032	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
3032	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3032	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
3032	f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Windows security bypass
- Windows security modification
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3032

Network

DNS

do-scan-progress.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-scan-progress.com

IN A

Response
DNS

do-make-progress.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-make-progress.com

IN A

Response
DNS

do-progress.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-progress.com

IN A

Response
DNS

do-managed-scan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-managed-scan.com

IN A

Response
DNS

do-power-scan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-power-scan.com

IN A

Response
DNS

do-step-scan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-step-scan.com

IN A

Response
DNS

do-monster-progress.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-monster-progress.com

IN A

Response
DNS

domonster-progress.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

domonster-progress.com

IN A

Response
DNS

domonster-scan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

domonster-scan.com

IN A

Response
DNS

dopower-scan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

dopower-scan.com

IN A

Response
DNS

dostep-scan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

dostep-scan.com

IN A

Response
DNS

do-monsterscan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-monsterscan.com

IN A

Response
DNS

do-powerscan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-powerscan.com

IN A

Response
DNS

do-stepscan.com

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

do-stepscan.com

IN A

Response

No results found

8.8.8.8:53

do-scan-progress.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

66 B
139 B
1
1

DNS Request

do-scan-progress.com
8.8.8.8:53

do-make-progress.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

66 B
139 B
1
1

DNS Request

do-make-progress.com
8.8.8.8:53

do-progress.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

61 B
134 B
1
1

DNS Request

do-progress.com
8.8.8.8:53

do-managed-scan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

65 B
138 B
1
1

DNS Request

do-managed-scan.com
8.8.8.8:53

do-power-scan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

63 B
136 B
1
1

DNS Request

do-power-scan.com
8.8.8.8:53

do-step-scan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

62 B
135 B
1
1

DNS Request

do-step-scan.com
8.8.8.8:53

do-monster-progress.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

69 B
142 B
1
1

DNS Request

do-monster-progress.com
8.8.8.8:53

domonster-progress.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

68 B
141 B
1
1

DNS Request

domonster-progress.com
8.8.8.8:53

domonster-scan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

64 B
137 B
1
1

DNS Request

domonster-scan.com
8.8.8.8:53

dopower-scan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

62 B
135 B
1
1

DNS Request

dopower-scan.com
8.8.8.8:53

dostep-scan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

61 B
134 B
1
1

DNS Request

dostep-scan.com
8.8.8.8:53

do-monsterscan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

64 B
137 B
1
1

DNS Request

do-monsterscan.com
8.8.8.8:53

do-powerscan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

62 B
135 B
1
1

DNS Request

do-powerscan.com
8.8.8.8:53

do-stepscan.com

dns

f0ba467f6eafd29d1dd2e0b56568116a_JaffaCakes118.exe

61 B
134 B
1
1

DNS Request

do-stepscan.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3032-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3032-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3032-1-0x0000000000404000-0x000000000040A000-memory.dmp

Filesize
24KB

Download
memory/3032-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download