245a56d524a469184a9727e108cc9d87f458b598455b0f598c18a7bbe01c04b5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Size

360KB
MD5

faa4fc40c46e18ad680c25d257cd4041
SHA1

5c1229b3cad1db0366c4ad16a68a5d04ec19569c
SHA256

245a56d524a469184a9727e108cc9d87f458b598455b0f598c18a7bbe01c04b5
SHA512

d10f9bf447009bdd02ccac66e55c5a364d6dce88d75035e766a46f25ad72853eb106aec064e0b13d74e2b78e64add8ed54dd21328fbe4d05cce09f765e9d3261
SSDEEP

6144:KjBBoSvIUVffQuo9TBVb787h4YhTPi5eZZbPqWYBQf19k5Nmc+Frj3:KFiexVffQuo9TP7EQ5MBJYOtunyN3

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4388	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\usrcoinf.dll	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\ProgID\ = "MyBHO3.adad.1"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\ProgID	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ProxyStubClsid32\ = "{84FFBA26-5679-4B04-AADA-4344A52476A7}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MyBHO3.DLL	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad\CLSID	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\ = "MyBHO3 1.0 ÀàÐÍ¿â"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\TypeLib\ = "{C8FCBD67-A249-4836-BA20-4EE40180557F}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\AppID = "{924CE069-A627-4685-8911-00029ECADF9C}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\TypeLib	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ = "PSFactoryBuffer"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\usrcoinf.dll"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{924CE069-A627-4685-8911-00029ECADF9C}\ = "MyBHO3"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MyBHO3.DLL\AppID = "{924CE069-A627-4685-8911-00029ECADF9C}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad.1\ = "adad Class"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad.1\CLSID	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\VersionIndependentProgID\ = "MyBHO3.adad"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{924CE069-A627-4685-8911-00029ECADF9C}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\Programmable	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ = "Iadad"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84FFBA26-5679-4B04-AADA-4344A52476A7}\InProcServer32\ = "C:\\Windows\\SysWow64\\usrcoinf.dll"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\NumMethods\ = "7"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\InprocServer32	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\FLAGS\ = "0"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\0\win32	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\VersionIndependentProgID	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad\CurVer	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\TypeLib\Version = "1.0"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84FFBA26-5679-4B04-AADA-4344A52476A7}\InProcServer32\ThreadingModel = "Both"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\InprocServer32\ThreadingModel = "Apartment"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\TypeLib	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad\CLSID\ = "{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\TypeLib\ = "{C8FCBD67-A249-4836-BA20-4EE40180557F}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ = "Iadad"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\WOW6432Node\CLSID	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad.1\CLSID\ = "{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84FFBA26-5679-4B04-AADA-4344A52476A7}	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\WOW6432Node\Interface	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\ = "adad Class"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\HELPDIR	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\TypeLib	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad\ = "adad Class"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad\CurVer\ = "MyBHO3.adad.1"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ProxyStubClsid32	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\TypeLib\Version = "1.0"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\FLAGS	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\0	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FCBD67-A249-4836-BA20-4EE40180557F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\ProxyStubClsid32	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84FFBA26-5679-4B04-AADA-4344A52476A7}\InProcServer32	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyBHO3.adad.1	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A58CFDC4-2544-42C4-A4CF-31D5C599BB4C}\InprocServer32\ = "C:\\Windows\\SysWow64\\usrcoinf.dll"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\TypeLib\ = "{C8FCBD67-A249-4836-BA20-4EE40180557F}"	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84FFBA26-5679-4B04-AADA-4344A52476A7}\NumMethods	faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faa4fc40c46e18ad680c25d257cd4041_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\usrcoinf.dll

Filesize
68KB

MD5
b81d7e9bcf8febcc434f8f87d0ec8f27

SHA1
42f1def86cb7e7c16f6b7e3f0db0ea8f1ee4d76d

SHA256
c6bb62d0fcd40c57cfa9db67d6b6a2489db8bf7b4b5ae52d4389e6af8d58995c

SHA512
e05e9f556007128e8fdf53c776dc1e9036b7317f9b746cfeb932e78066b2e55964a3dc7e54142be602e46b1aedee017dc48ebd727bb1c81719c42be75af86dcc

Download Submit