1ab72e987b4edc1bb0662bede09f498d8891bc9b2dd4107b229bf7abfc2ab92c

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Size

78KB
MD5

0e3d268c99d6d8db40ba08c4e6bde0fa
SHA1

6a5d2e2b403ff672e75fa4fd80507a99ee17a940
SHA256

1ab72e987b4edc1bb0662bede09f498d8891bc9b2dd4107b229bf7abfc2ab92c
SHA512

424ed735ed3d7cf3555e1501841e7f4a80292e686b32f3d6da086cf3c0d3ef0e0b517a40efb12fc9f62a21d814243fc1ec33fc2b0798aec260e61038e3aa812b
SSDEEP

1536:YRBreX9EF+BFT2H5aqtD8W/HJ7Mk9jvxYCwaqiPsg/2z+hTarb7I/TW2:YRg2F+BF6H5dDx4AiCwaqiZhT

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysreal32.dll	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\distributer.txt	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\Programmable	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper.1\CLSID	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper.1\CLSID\ = "{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CLSID\ = "{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ = "ChajianHelper Class"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\ = "ChajianHelper Class"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CLSID	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CurVer\ = "Chajian.ChajianHelper.1"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IChajianHelperEvents"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IChajianHelper"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32\ = "C:\\Windows\\SysWow64\\SYSREA~1.DLL"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32\ThreadingModel = "Apartment"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper.1\ = "ChajianHelper Class"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper.1	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID\ = "Chajian.ChajianHelper.1"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IChajianHelperEvents"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\TypeLib	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IChajianHelper"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\VersionIndependentProgID	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CurVer	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\VersionIndependentProgID\ = "Chajian.ChajianHelper"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "Chajian 1.0 Type Library"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\sysreal32.dll"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2164	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
2164	0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e3d268c99d6d8db40ba08c4e6bde0fa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kucosetupno3.exe

Filesize
7KB

MD5
fd6aa00595203d3c0b7df537130182f4

SHA1
79ff042032b9c74301899a0dd8071e0e4afac39f

SHA256
b4b41218998c3ca8e5a043bd8507212eb28488196eddf435279108ab4ed881c7

SHA512
7914ad8fef46d4bbcf6ed9c2ae19f6a330e4a74a7ecd43c46ac55c04a56c32afc8881a16b667639f78bb5cdde65b69e70804f458ed3d20d2a52f4853707b3368

Download Submit
C:\Windows\SysWOW64\sysreal32.dll

Filesize
68KB

MD5
03c68a64818522069dd56aa362184adb

SHA1
1f70d299051f70989d83054a4177108d4d371b71

SHA256
f82c5969d02117bb94373f36c5c25bebdfb9af9eb014ae233bf14d4b6cd49aa5

SHA512
c5c6d985ebbf80480191e9b063847bd41edad21dea684c009d023256bd5e9f150e6246519f52abc9e20bf1f6d2d1c0417232a0babd0477ca1038a23f6b9fc64a

Download Submit
memory/2164-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2164-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2164-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2164-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download