5b135865e338b8f4b5cf7cd82a3031d9a276713a1d21477b8ff48c6364b2ea7d

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
Size

464KB
MD5

fd87aead92db51a025fcdef38d65b57c
SHA1

104d62e65715c26ac75209be3d4cafb687a2f42d
SHA256

5b135865e338b8f4b5cf7cd82a3031d9a276713a1d21477b8ff48c6364b2ea7d
SHA512

5835e92113037d085620233b38c4693d4e37272810bd8e9e81b5ec96ec6997919164f47f417e5a8ae8a323b9f150d2bcfbbbfd1e1884468965301f33b099bbf8
SSDEEP

6144:2CjVktZuHoHz6A8FxqbDC+pu6HapDhPnUCmzKLR0xcL:2CjutZuKyYBu66pl/uzAF

Score

7^/10

adware discovery evasion stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4324	CraveLongitude.exe
1468	CraveLongitude.exe

Loads dropped DLL 1 IoCs

pid	Process
336	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	CraveLongitude.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	CraveLongitude.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\IntricacyHarridan\IntricacyPageant.exe	CraveLongitude.exe
File created	C:\Program Files\PageantTournament\ImplicitVandalize.exe	CraveLongitude.exe
File opened for modification	C:\Program Files\PageantTournament\ImplicitVandalize.exe	CraveLongitude.exe
File opened for modification	C:\Program Files\IntricacyHarridan\IntricacyPageant.exe	CraveLongitude.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ZAYUOZBIDUJF.dll	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CraveLongitude.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CraveLongitude.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ = "C:\\Windows\\ZAYUOZBIDUJF.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32\ = "C:\\Windows\\ZAYUOZBIDUJF.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR	regsvr32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
1468	CraveLongitude.exe
1468	CraveLongitude.exe
4324	CraveLongitude.exe
4324	CraveLongitude.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 336	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	82
PID 3972 wrote to memory of 336	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	82
PID 3972 wrote to memory of 336	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	82
PID 3972 wrote to memory of 4324	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	83
PID 3972 wrote to memory of 4324	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	83
PID 3972 wrote to memory of 4324	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	83
PID 3972 wrote to memory of 1468	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	84
PID 3972 wrote to memory of 1468	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	84
PID 3972 wrote to memory of 1468	3972	fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd87aead92db51a025fcdef38d65b57c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\ZAYUOZBIDUJF.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:336
- C:\Users\Admin\AppData\Local\Temp\CraveLongitude.exe
  "C:\Users\Admin\AppData\Local\Temp\CraveLongitude.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\CraveLongitude.exe
  C:\Users\Admin\AppData\Local\Temp\CraveLongitude.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IntricacyHarridan\IntricacyPageant.exe

Filesize
464KB

MD5
fd87aead92db51a025fcdef38d65b57c

SHA1
104d62e65715c26ac75209be3d4cafb687a2f42d

SHA256
5b135865e338b8f4b5cf7cd82a3031d9a276713a1d21477b8ff48c6364b2ea7d

SHA512
5835e92113037d085620233b38c4693d4e37272810bd8e9e81b5ec96ec6997919164f47f417e5a8ae8a323b9f150d2bcfbbbfd1e1884468965301f33b099bbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraveLongitude.exe

Filesize
28KB

MD5
6697555ead62e6b9fb71a0ffb6d62992

SHA1
55b57b52fe0d4af8716db57a98ab011b1dbe4181

SHA256
683a7e3bc4e63ba70bf88c23ae895109d19fc02c9d084ddd759a5569b56d2cd6

SHA512
36b7c24cbc5cef1ea6cca65c2054e3baae7096932bbb2caa4857d4f324407fe5a92e610d7baf979dfa881d82f9c99c74037b774967cd5d31af5a120bd9eefdf8

Download Submit
C:\Windows\ZAYUOZBIDUJF.dll

Filesize
496KB

MD5
5686a86a476ae752c063f88384296e95

SHA1
8050c70a4c97b6e0852aa6f057a1181daf51373f

SHA256
cf182ad9f2cceadc73853df358a0ab461120e92eebf6c602e378945f4fbcdd87

SHA512
ea0560b9f57ee73b31fb3a6dc8090ea789d266011053218c9e7bb8f92e5ae5dcad402c6a939123571856ab91934a0bc8cca5fcf5e470b545faa1ca3fa18103d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads