9b31d0a58d4bd0d04651a2b29590f3c76493bb50fd5e6d21afb6c1d6a291e433

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
Size

395KB
MD5

08733ff9ca8d10dc8a89d5054e9b6ffc
SHA1

d813297226e4ee80245c95ec0344a650089bad21
SHA256

9b31d0a58d4bd0d04651a2b29590f3c76493bb50fd5e6d21afb6c1d6a291e433
SHA512

d7b9a4585facb170da19816c5536ec6a585523e46546393742e2d34e3c5ba2ba55ce71aa4ed0a66e8895bd691e1581ffd8a2c0a1f5a8d2b947225232ae4c8831
SSDEEP

6144:Fwg4zMoMVe/VRHzhV3yxXPhlfCWfBJ8V8jcq0m3b+HBp85Z5vF5qxds7EpG9CGkQ:L4m8nHziNh9CWZSVxULQI5N0xdsoe6Pm

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 20 IoCs

pid	Process
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
4968	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}\NoExplorer = "\"\""	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cont_globaladsolution-remove.exe	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nso767B.tmp	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nso767B.dll	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}\InProcServer32	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}\InProcServer32\ = "C:\\Windows\\SysWow64\\nso767B.dll"	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}\InProcServer32\ThreadingModel = "Apartment"	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{126a8a86-a4fe-b53b-9560-32f740a9dbcd}\ = "globaladsolution"	08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08733ff9ca8d10dc8a89d5054e9b6ffc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso762C.tmp\NSISdl.dll

Filesize
14KB

MD5
2a2af69379ed269c61893e8146e18f52

SHA1
03264b45960d3f1fde4b031db47ab7a3f863713d

SHA256
e323b74c36dc52c2a3fbda49d998744cf64cab102f0d72796472ab55d2c784d4

SHA512
49388047397e33f1ed502bd0c5e61b98b33881f794fb52ca229db5b589af9ecb370e9043e2143dcb62cd9d00df6cacc89589734c83f9fda0ceb3f216c0bedeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso762C.tmp\System.dll

Filesize
10KB

MD5
82f7926fd7d12e3eb8ed7b5232bcf956

SHA1
6065fc921b742cc86c77ce2533fc1d17359eb45e

SHA256
604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984

SHA512
b31a63ebbda8f147c32d8336c5ecde8c5261ad5526b01926d7cd74b7a9a1348da56e180e53d20e1e300daca76f9511f24d6e695550b705b7650c239e5b6e76c7

Download Submit
C:\Windows\SysWOW64\nso767B.dll

Filesize
542KB

MD5
c0c2c941fe026df81c03cbac605ca74b

SHA1
6d49fff20749d748598a8eb981ba64e5dee3a5db

SHA256
474acc2dd87957d3b228ac293c6dfee476c8bf53d90eaa1a008dc4a20201878c

SHA512
256a9511373a3f1b985eda07c384fe8bf538a5ce4f18bdbf62e32b791314b11016f883f48631172e57cf713b0362730b7ddf55f370a937966d872f2162345c46

Download Submit
memory/4968-69-0x0000000002EE0000-0x0000000002F6E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads