1e24be50b447c99792bc77054da30018cc7b38d93fb63c9432fae43c6d65d9c0

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe
Size

166KB
MD5

01af3eb235b095bdd5980323be7359da
SHA1

247a9e0d9674d07c3da41faf383f1d30e569c01d
SHA256

1e24be50b447c99792bc77054da30018cc7b38d93fb63c9432fae43c6d65d9c0
SHA512

b06a3bfe1ea0f72ebd0107e96960492f78afba2751e3cfef645dfdb801768f8159d7c696fe1061615fabd2fffa46bb68f279856f54476f0e1078ea4e92c83cc3
SSDEEP

3072:BB+/3kbkJpU4BB/I+H1VWpvZUoNF+dm4NzLXZIjAXczw9:BrfoH1VWvUc+dvNBcz2

Score

7^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4472	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489873CE-F3E1-44A3-8E89-04BE26BE4446}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\IETimber\IETimber.dll	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\IETimber\IP.dat	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\IETimber\uISGRLFile.dat	regsvr32.exe
File created	C:\Program Files (x86)\Internet Explorer\IETimber\Uninstall.exe	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\IETimber\\IETimber.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\VersionIndependentProgID\ = "Toolbar_bho.IeToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\ = "IETimber"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CurVer\ = "Toolbar_bho.IeToolbar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Explorer\\IETimber\\IETimber.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ = "IIeToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ = "IIeToolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib\ = "{065683C4-C71A-47F1-830B-7D9309D3913D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\ProgID\ = "Toolbar_bho.IeToolbar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\ = "Toolbar_bho 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CLSID\ = "{489873CE-F3E1-44A3-8E89-04BE26BE4446}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Internet Explorer\\IETimber"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar.1\CLSID\ = "{489873CE-F3E1-44A3-8E89-04BE26BE4446}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib\ = "{065683C4-C71A-47F1-830B-7D9309D3913D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\ = "IETimber"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar.1\ = "IETimber"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\TypeLib\ = "{065683C4-C71A-47F1-830B-7D9309D3913D}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4472	4936	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe	82
PID 4936 wrote to memory of 4472	4936	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe	82
PID 4936 wrote to memory of 4472	4936	01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01af3eb235b095bdd5980323be7359da_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Explorer\IETimber\IETimber.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\IETimber\IETimber.dll

Filesize
189KB

MD5
36c56c0f69df06f8184d3ef0b96b907c

SHA1
d324380bdc537bf3573642267e40f3534d233acb

SHA256
ee28040116358159e35b132fc81ea2aa8efd8a4dc103b2a7dff4a60fcaa64495

SHA512
ab66f0bcf04a717e5ea3a453d4bb1a9823e8410033d63dafa2d72eb6616cdf60e5be88f880596a4d9ef9e820d61a4e8076c9e88923dac33e697305c66b33dee5

Download Submit
C:\Program Files (x86)\Internet Explorer\IETimber\IP.dat

Filesize
24B

MD5
0d87d522011c4c250f60a3fa4e744310

SHA1
e05367920ee8681b2a3ac42db2137b105b090d6f

SHA256
95d50984688698344c925332224fe99578d1064df44d3b5df3169a0167be6515

SHA512
e85f668da0419020e1f9bb00f34fbe29295e7fc0f995edf66f69e3ea5243ceb7260317d0d464056bfd95668f12d03d277fa86bfc4aac70564d2f9ce0387b896e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads