Overview

overview

7

Static

static

3

0e096d59ed...18.exe

windows7-x64

7

0e096d59ed...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e096d59eda311780d7123e869622ad9_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    0e096d59eda311780d7123e869622ad9

  • SHA1

    eaf7a50ab84f5891c0221d4c75ec0bb0f87de1bd

  • SHA256

    8dcadab44c153f08c373fe9ab63d034dbea546ef85ef02cb1242d343051d5c82

  • SHA512

    da9c45481fbb4a45b3d0a8aa2a4b856fa90868febdd4bda18a90a5bfac3e0f022a0b623ff4ea6027438f22de34278a451f46220db9fa8fce3e02e2c40ca399e8

  • SSDEEP

    49152:vseJ5il2nBUA8j5djC8QeefkniGkCoNdvzDKocOO61xEebA5rOYiZnO:b5nBb8j5djfHykiGkbNhWzOO8EebSivo

Score
7/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e096d59eda311780d7123e869622ad9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e096d59eda311780d7123e869622ad9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Temp\is-4O1QP.tmp\0e096d59eda311780d7123e869622ad9_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4O1QP.tmp\0e096d59eda311780d7123e869622ad9_JaffaCakes118.tmp" /SL5="$4010A,1733017,70144,C:\Users\Admin\AppData\Local\Temp\0e096d59eda311780d7123e869622ad9_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
        "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2164
      • C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
        "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:568
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1880
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1396
      • C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
        "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml
    Filesize

    51KB

    MD5

    01116f926b28cb3442473d8b47a6dd8f

    SHA1

    5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

    SHA256

    01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

    SHA512

    df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Buttons\games_cheats.xml
    Filesize

    5KB

    MD5

    7073a70d1b6686f09af08d9293312d9a

    SHA1

    c61fa40156758870b9adc9eca4792c1dcfb9ba67

    SHA256

    d12f3624ca49dea04dd4261f4818e2a8ad351d1174fc93d96baeb2e44f1a9e47

    SHA512

    e5b29d26e3b1fcb64ba143c68e18b4e093e38e17f63ac7657383292787b8291a8e8ac55f1ff5d52529e4b860d5592add20ee6af1df577b604abed4fcfad67626

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online.xml
    Filesize

    5KB

    MD5

    3b1d45e2edc9cbbea793044e38850cca

    SHA1

    eb1d2a9e7f2d09403db17ecf84374b61f4209bc4

    SHA256

    e14bce863c9d889b2504859ca347237671ee665c39b80b598f36b1144565d9f0

    SHA512

    2db3cacfc459555c9ae1ae363df20443081d02981093fd5296f4ae60599852f1231b6461b7729c680ac33c0fd2f82ac3efb0d4edec7430bb674176ac82e9c46f

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals.xml
    Filesize

    4KB

    MD5

    44ba440389117fa3e14874d775078bec

    SHA1

    1d3e203ace72d4bcbbefbeeb763cf0590a5ee0d6

    SHA256

    548b1a9ff7a2bbdf05e16fb4bfd7742e24fb11ee521026ff51ebde089fa8d4b5

    SHA512

    23b456faf697a3baa279cde6a9ade4aed8a587b6f4d9856e7cd3522495c76022cdaa0271d2b9cee8bd9b8958dc022fc196b9dd735a0f48113366e2beeaa62e04

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml
    Filesize

    3KB

    MD5

    ccd6e298e340f9adc0e7359e9e924441

    SHA1

    87a1a8110e60fe6e0322e253170fb07c64dfc97b

    SHA256

    81857ce2a92da97d87e489612c6b5a82fb37f2a5856a36b772764f7072452701

    SHA512

    2bd078aaf07ece5a21c7353bd1843f9be60615775f19d1f14e0551c688b63bd21ac8c158230669f719180a724d64de9665720ba593323b87a638e3163ace5d17

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Buttons\games_shops.xml
    Filesize

    3KB

    MD5

    c35bd24a98af13e62e45aa0dc5031527

    SHA1

    83dce6472736128db9b045302511c80c6397220b

    SHA256

    14ef50810ca79d511d2c57d4ba72aa4239bc8cb8cc50f2819d98c4d94f0de12a

    SHA512

    a3183a7289fbe29ebe860760af298ea18d521574ac741e96ae5a21373cceea9928d9f6eec9a7a6f3733e55f4997a707bb2d495e9971ba252883964b9fc3a069e

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Inbox.dll
    Filesize

    1.0MB

    MD5

    cd888cb4001979913c7bb32ea4fdd166

    SHA1

    c440de38adda037c5dee8bbba0edb02936472241

    SHA256

    e995569814c123b90f8d818e6766a1281a8dbae8dd444b17ea889e6f3342151b

    SHA512

    82e5ac55053b0b69b466ca896edd540beed309e04445de6c279d2b9c92167a6bb612c6598f6b2c4d30b11f9e535d600e67c799d798eb198b9bebf7cd6f53b2f3

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Inbox.ini
    Filesize

    2KB

    MD5

    57fdef96a4b9dcafcf1a6f3071c05435

    SHA1

    410e589f111cde947f685dad735fe3c772a6c63f

    SHA256

    b8060f3334d579a64a1e913288e9a4f469b1c4445ce01601dcf1fcc6d2d46aa4

    SHA512

    3750f61f5e6c9a30c85954eff833842a572c04f2c819f04ff6eed952850309dc78623c34db581d7fc72475981d0b48c8332e0cbb3d85665d0da80d3957e693ac

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Inbox.ini
    Filesize

    2KB

    MD5

    24999b34a68cb7b76c73a5eb9b8b9636

    SHA1

    f15a9acfd474bde6ca172f18e1d014d6ceb5e9f5

    SHA256

    b6b662c328c59c07f54760848c40760adb67f2e18586c18ccc4bfa24f64763c7

    SHA512

    68007009210c8d1b161bfddba857efe506c15ee77a4860fe863e03cd47ef3e2c02947045480d31248b0399de69e126ba32f17fab009582719dc82deb5e12fc03

    Download Submit

  • C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll
    Filesize

    1.5MB

    MD5

    1423ca8491ed48bdf7642c0c2039c65c

    SHA1

    f1814ed24a69bbc20439db332e3f890232008a90

    SHA256

    cbc93a395a1098918b3000be6043d52a2043f04ba01b20c909f72fcfba8af57d

    SHA512

    dcd469381908c8c818edb432d282a819c74bf7d01c5dd32838574531f3eea22dfecb82a25ed8d0b0223c72aed228c28d4cae465eed87bc33788a177eb2653d89

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini
    Filesize

    30B

    MD5

    129a4ce81f9a7b3dc2d98e090a069f05

    SHA1

    a266de9a5f3fea40e7de85ddfde49f4b6c515c96

    SHA256

    9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

    SHA512

    3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini
    Filesize

    89KB

    MD5

    6b72fbdc939dffb3c9d268d521459f91

    SHA1

    948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

    SHA256

    9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

    SHA512

    f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico
    Filesize

    1KB

    MD5

    34f4618666b7e80e687b25b82a7da5e2

    SHA1

    ab543a8992b71891139d608d77403a59bfabd501

    SHA256

    fa975f7a7a854a7730b1c92d1567706dce2eab80d78cf131eb1cec40e88cb7e3

    SHA512

    b7e4eeccdd9d84d9a352e9490f19d08c06c54554ac52e3ba9aa1a81de2181a6a185387a323122021303afe32da21ceb3f1f6aa3524c45a6c8d9abac4144237eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabC959.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarCC3A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-J82V3.tmp\RI_AfterDot.bmp
    Filesize

    84B

    MD5

    7ccd5a0af4da51cf4962f184fcf9456a

    SHA1

    de37f4521fa7fee49b37898f4136728e8971ee0f

    SHA256

    8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

    SHA512

    d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-J82V3.tmp\setupcfg.ini
    Filesize

    44B

    MD5

    786c3df15033a3093221e5cd317b52cc

    SHA1

    b2185180383c3cf72041c47e8103447705207a16

    SHA256

    eb1fd4aa3e91301fa3fc22cd7fa7fd76373d1d42823a90e43fa49c832dcd775f

    SHA512

    59902dbf6785a97d40e2327c20940dd82fefb6536cbb00d0c8307dfa82d6702eb6ac2a551c4d48cdfd372a97c0821c9bd8768413f11607133a5cdd588ff84ac5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-J82V3.tmp\tbr_dots.bmp
    Filesize

    164B

    MD5

    adc799ec79eeaef366ea4dddf099c3ae

    SHA1

    556c915615a34a2499604b7b732ab304b20fdd4e

    SHA256

    7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

    SHA512

    76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

    Download Submit

  • \Program Files (x86)\Inbox Toolbar\Inbox.exe
    Filesize

    1.3MB

    MD5

    17fab9dd087f2277dd9ed9ccef1ecdfe

    SHA1

    67f7f6fc6578865724f973027479c1221f090397

    SHA256

    100702a31fc595183feb8f188ff52ff042f461c9f2f8db25a20df9f151a98a07

    SHA512

    1a84eccbf7bb4cb86e4f119c18c16f0c4d511b9b49642b5364530fdff8e97b1f008889d7c12d83c8bb1c3bc56ee30f143a01b930ffea677e7b1e5bf85bea4d55

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-4O1QP.tmp\0e096d59eda311780d7123e869622ad9_JaffaCakes118.tmp
    Filesize

    1.2MB

    MD5

    e7106fbf42fbc6d5b08a18ada4f781b4

    SHA1

    36d4a629f79d772c0b0df8bd2ae2ea09108d239d

    SHA256

    64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

    SHA512

    adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-J82V3.tmp\DownLib.dll
    Filesize

    183KB

    MD5

    db25dfdd4c1f2b65c68a230881072695

    SHA1

    94cd6a3438041f0e61b0a1bea7b66461854efe69

    SHA256

    1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

    SHA512

    db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-J82V3.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • memory/568-232-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1396-231-0x0000000001E10000-0x0000000001FA1000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1880-228-0x0000000002220000-0x000000000232B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1984-353-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2164-195-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2572-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2572-224-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2572-2-0x0000000000401000-0x000000000040D000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3016-226-0x00000000020F0000-0x0000000002127000-memory.dmp

    Filesize

    220KB

    Download

  • memory/3016-9-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3016-22-0x00000000020F0000-0x0000000002127000-memory.dmp

    Filesize

    220KB

    Download

  • memory/3016-235-0x00000000046F0000-0x00000000047FB000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3016-350-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3016-352-0x00000000046F0000-0x00000000047FB000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3016-225-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3016-392-0x00000000046F0000-0x00000000047FB000-memory.dmp

    Filesize

    1.0MB

    Download