11b1b6c25ddd8eb4d811064343ea686dadd87d5908eca6080151403797d433a1

Analysis

max time kernel
134s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe
Size

2.0MB
MD5

f9e7fb9533c65bb27b08070778b61c51
SHA1

62ce14d60eb065cf00eefb47268c1c9eec2c25a7
SHA256

11b1b6c25ddd8eb4d811064343ea686dadd87d5908eca6080151403797d433a1
SHA512

f095cad1ad1a5b0cc424033dbaeed5f6df1490dc2f1ef60e92b5b323eb6c9a029e212b0889851e3311e4e6ec51d21692f280e0ca353f128a26547fcd9d794799
SSDEEP

49152:mZYaw9wenh9vKo73FDIIp0/fdU7e3JM3XoyJ5beoSfOzcE1K:Ww9wap3FUu+a7e3JM3XJFJSWzcE1K

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
3064	dfMEO0H.exe

Loads dropped DLL 3 IoCs

pid	Process
3064	dfMEO0H.exe
4148	regsvr32.exe
2136	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfnlfkikkbpagenpoflmhkedgmcepabe\1.0\manifest.json	dfMEO0H.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfnlfkikkbpagenpoflmhkedgmcepabe\1.0\manifest.json	dfMEO0H.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfnlfkikkbpagenpoflmhkedgmcepabe\1.0\manifest.json	dfMEO0H.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfnlfkikkbpagenpoflmhkedgmcepabe\1.0\manifest.json	dfMEO0H.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfnlfkikkbpagenpoflmhkedgmcepabe\1.0\manifest.json	dfMEO0H.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}\NoExplorer = "1"	dfMEO0H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}\ = "YoutubeAdblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30B81C25-8F89-C614-07C8-CBE048D17532}\ = "YoutubeAdblocker"	dfMEO0H.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.x64.dll	dfMEO0H.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.x64.dll	dfMEO0H.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.dll	dfMEO0H.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.dll	dfMEO0H.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.tlb	dfMEO0H.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.tlb	dfMEO0H.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.dat	dfMEO0H.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.dat	dfMEO0H.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfMEO0H.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{30B81C25-8F89-C614-07C8-CBE048D17532}	dfMEO0H.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{30B81C25-8F89-C614-07C8-CBE048D17532}	dfMEO0H.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	dfMEO0H.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{30B81C25-8F89-C614-07C8-CBE048D17532}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{30B81C25-8F89-C614-07C8-CBE048D17532}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	dfMEO0H.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\ = "YoutubeAdblocker"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\ProgID\ = "YoutubeAdblocker.1.0"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\VersionIndependentProgID	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\InprocServer32	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\InprocServer32\ThreadingModel = "Apartment"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\VersionIndependentProgID\ = "YoutubeAdblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\ = "YoutubeAdblocker"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\Programmable	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{30B81C25-8F89-C614-07C8-CBE048D17532}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{30B81C25-8F89-C614-07C8-CBE048D17532}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\N_hIFD.dll"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{30B81C25-8F89-C614-07C8-CBE048D17532}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	dfMEO0H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\Programmable	dfMEO0H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\VersionIndependentProgID	dfMEO0H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\N_hIFD.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532}\ProgID	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dfMEO0H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	dfMEO0H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	dfMEO0H.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3064	2180	f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe	86
PID 2180 wrote to memory of 3064	2180	f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe	86
PID 2180 wrote to memory of 3064	2180	f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe	86
PID 3064 wrote to memory of 4148	3064	dfMEO0H.exe	88
PID 3064 wrote to memory of 4148	3064	dfMEO0H.exe	88
PID 3064 wrote to memory of 4148	3064	dfMEO0H.exe	88
PID 4148 wrote to memory of 2136	4148	regsvr32.exe	89
PID 4148 wrote to memory of 2136	4148	regsvr32.exe	89

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{30B81C25-8F89-C614-07C8-CBE048D17532} = "1"	dfMEO0H.exe

C:\Users\Admin\AppData\Local\Temp\f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9e7fb9533c65bb27b08070778b61c51_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\01fd2ea8\dfMEO0H.exe
  "C:\Users\Admin\AppData\Local\Temp/01fd2ea8/dfMEO0H.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3064
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.x64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdblocker\N_hIFD.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01fd2ea8\N_hIFD.dll

Filesize
414KB

MD5
ffe3f0c62f2fede9890b18d73724fd97

SHA1
0dafa42039405f8d49a6790180194076bd57c833

SHA256
2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8

SHA512
84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\N_hIFD.tlb

Filesize
3KB

MD5
8d10c52cfa044ccdcfff4e0b5775babd

SHA1
3b2c872ab3237d7b74377032ed7a5239c82df766

SHA256
af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156

SHA512
123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\N_hIFD.x64.dll

Filesize
461KB

MD5
0231aebb8155fd069d17eab6a679cc1e

SHA1
61cb4b5228e6253863391ef3346c2f9920dbc554

SHA256
fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672

SHA512
42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\dfMEO0H.dat

Filesize
3KB

MD5
be31db4f484afd63b73a50ac351dc54d

SHA1
0f03afeb7b6d3ccdf850e8aa7d816f2ebb4f396b

SHA256
893585ed231e57483183838443b6402b65052b9cdd6ffbff904369d5ab609bbb

SHA512
ccd4c9226e911500fa5aa40f5484a6375405f77c373c5bc8a8d645f8142b8990162c3abff43655bdf98a031c6e2835e2cfe7ef8ccceb81a4f820f9a4c10b7315

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\dfMEO0H.exe

Filesize
679KB

MD5
dc0ac7dbdcbbb8b2561ba9b8ccab3d37

SHA1
95dbb41d9379f67837ad5fe00bb6aedee08cbce4

SHA256
4f3e000ef6cb1842f0e1a43e1c02061e2dff8ef01e76aca524520f0642abd88e

SHA512
d99793b78ba24f96375cbc67f04cf66b484fbc3e71152696f325a90ac25d7d6bbbfeb70c86cf42a10209964d0d8cd2378d7c6138bbede6bbd4de1ff464239c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\[email protected]\chrome.manifest

Filesize
27B

MD5
4970a9d4bdf29a60f8d24e9caa43c40b

SHA1
f225e979f89294733abc1d8c19f350cf7ee5d8ba

SHA256
9043bc22936b064bfb3bf5d8e25f49364f1552fc2473c1767dde454d4ac1dbd3

SHA512
81c26ec44bf6fee4599b28c6774b06c35000994176ac0813552fc35174c32621090233ff8b609912f041f219e8a4cfa8f9d8197123f102dd3d81505a6c9f329b

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\[email protected]\content\bg.js

Filesize
29KB

MD5
bd7249717df9aaff90875c0a8d2bad25

SHA1
26c0f1217f4c77254d1c6f72c4def56d3af2323f

SHA256
9dea72007511125c47cfcc375cb32e208ac892704c34d681248ed87484dddd7c

SHA512
a88e6b1ef4a2dc208e842fde954aded77441cba6d82b5daa2f494e70acc55e47cc68030c76b6a20c2c471073947af1ca6691ebba5e9e6e752af04caf0d66175f

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\[email protected]\install.rdf

Filesize
610B

MD5
4af5ffe282039519dd0e4d9d4d163c59

SHA1
eae1ab672a70dd8f90e7e03b02cd30481fd2e959

SHA256
7a270b3b13778da926a6bcb4997904d89015971698a3b23301a10373effb6d9d

SHA512
54da3b8ef7fd7e036a17f274b2d8cca42e341527d54aa4f0c8bcd87b01eb924abe897a5ed44c0cb62f5e187459fc6e82e58be7720213957e5af45f8be60aa723

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\mfnlfkikkbpagenpoflmhkedgmcepabe\background.html

Filesize
145B

MD5
2f455b4673fd3b436270fc5be0c86367

SHA1
42bc7f7335c8c605ef7b0181571e8b4031b55c2f

SHA256
5df1bcc50cb32a1d60a135d3ce584305ce16a4f1d56e9d9cd8b084a60d6ae15c

SHA512
e36158627f95a13c657922f2b81dadfcb0f38928cef17f0a486758d4d87c5a8154f7e00941cf4c53a5845aee9ee440490b74a8d66acd26fa6ce5134ef141d869

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\mfnlfkikkbpagenpoflmhkedgmcepabe\content.js

Filesize
5KB

MD5
9ecb9efd857208be035b361fe541b142

SHA1
63f05a609f0f1e82f24dfdf7317f1996bed6b7a0

SHA256
862e660aee0cb154ddee68ca01838133e119e4810268836a5501625c55404c15

SHA512
5387307023137000263b4ee51491c65b0ec791a5ce234d369041dab6d38ac21720a98caa79c308b38da7490a6b2900a3812fa68b4f837abb757c44dd86d5fcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\mfnlfkikkbpagenpoflmhkedgmcepabe\lsdb.js

Filesize
7KB

MD5
2b7f0e7b5a8e703c38351c073c87dee4

SHA1
2d200b60e08a30e4edd5d0b7d21b6ff6e69e35c4

SHA256
8dd02f56e3144af6447a113592c92ee73ab0232c092a0524c3911bffe3ad8090

SHA512
4bb10789a7608a7aa35095115cbfa9d56ed5e2bc7d9e6a3bf5cdff4f03587b7e0b1825a8c8898e9b8c4d1026531521e8c798fa24867a78f141094473bfe36633

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\mfnlfkikkbpagenpoflmhkedgmcepabe\manifest.json

Filesize
508B

MD5
e2832fbedae560495781610b5c511afa

SHA1
95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108

SHA256
6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2

SHA512
2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fd2ea8\mfnlfkikkbpagenpoflmhkedgmcepabe\zaGnUwh1.js

Filesize
25KB

MD5
770877e2ec43968e777197deee15806b

SHA1
b4c1b9890a7c6574988da981e6e7111c8d5e1d95

SHA256
995adadefc6a437901bb4c38c58afcfec417b4353c1db9d5d1edba80b3f36628

SHA512
8242b9570642f4920c1d9d01131897fc3a4b4e8bcd08a530e56b466bb382cc46ffbef473c91cc0efe06d01256e5bb43c60a10a2ebfac5da2618297459d2fde21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads