1257eb42368501130beff8430eb2ddfbf957838f94b1588d857c4ce17040c89c

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Size

809KB
MD5

0f4cc38d9579d0685b694a70e4e9d7f4
SHA1

bd083fbe464f773158a2aa3bd1cfc1e6c745786e
SHA256

1257eb42368501130beff8430eb2ddfbf957838f94b1588d857c4ce17040c89c
SHA512

497955a54609ee15f35a55b1e20fd0c5dc00835896b13752c52a136dab2ac2ba7576aac9df989e6b22e843e034db1169e51ec2fe5823d28d35289287214a5157
SSDEEP

24576:9Vgb7BQPNOiFr9vk4ZhI119U0FH5wcf5eY:9cBY5Fr9vk4Zha193ZwcZ

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001756f-20.dat	acprotect
behavioral1/files/0x0006000000018708-23.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1424	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ieguide_v3 = "C:\\Program Files (x86)\\ieguide_v3\\ieguideupdate.exe"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001756f-20.dat	upx
behavioral1/memory/2668-22-0x0000000002FA0000-0x000000000309A000-memory.dmp	upx
behavioral1/files/0x0006000000018708-23.dat	upx
behavioral1/memory/2668-25-0x0000000002FA0000-0x0000000003051000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ieguide_v3\ieguideupdate.exe	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\ieguide_v3\niebho.dll	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\ieguide_v3\niebar.dll	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\ieguide_v3\License.txt	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\ieguide_v3\uninstall.exe	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{9CC3DECA-53F1-441B-A0FB-369633975784}	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{9CC3DECA-53F1-441B-A0FB-369633975784}\	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32\ = "C:\\PROGRA~2\\IEGUID~1\\niebho.dll"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InProcServer32	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ = "C:\\Program Files (x86)\\ieguide_v3\\niebar.dll"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32\ThreadingModel = "Apartment"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InProcServer32	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\ = "ÃßÃµ»çÀÌÆ®"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories\{00021493-0000-0000-C000-000000000046}\	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\ = "IBHO"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32\ = "C:\\Program Files (x86)\\ieguide_v3\\niebho.dll"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ = "C:\\PROGRA~2\\IEGUID~1\\niebar.dll"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ThreadingModel = "Apartment"	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Token: SeBackupPrivilege	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31
PID 2668 wrote to memory of 1424	2668	0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
4fb69582c024a06c95ea1d092e401a54

SHA1
d7f5e017be15e166ed3ee37a24ecb6c560c6a4f7

SHA256
69cd4645a9cdecedb941eac356d8f8e712c77fe0bd844ba0d62ca8a3c9d7ac75

SHA512
9c43502c5c7751b4114f6e60dfe6c93c85bd596cfcd8da4c49fd4134d8badddab319364e55bd02bb4b86abd42dab0ee94732885a915c664c782b4eb6a6ef7b59

Download Submit
\Program Files (x86)\ieguide_v3\niebar.dll

Filesize
253KB

MD5
cb504a159d0c8ace5562e85613540219

SHA1
9c5b9ccddadc60d6dd218533c80935a6bcc1aa4e

SHA256
1ff0c6b1d48dc340c5c7113768fbdca3b3baaecf59f944e4d0be5231e24e75eb

SHA512
30477727ad38a66d09b992f6c907b2dde949819d2ae732f276c47bd05ce2fbcc4d3a39e0562c3371e761e4efdae585942288c6e2e1fc53cc1945a2f35990b872

Download Submit
\Program Files (x86)\ieguide_v3\niebho.dll

Filesize
342KB

MD5
35c2f42baafeec096c05f8eaf4f90970

SHA1
12879beacc1ba299d94fcf8d974728414c4a8ea6

SHA256
2f716bfe44872120b6209615b274be513460e1323c525b27640eedfa4ebb6723

SHA512
4576b711c2c24113ac7f42f3e60efd9c63984de053647257463bec5d984fbfc1da20cb25892c8453dfafcb47201a96218595e0f9baf6da9b9f02d5d7cced12e5

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF420.tmp\DLLWebCount.dll

Filesize
28KB

MD5
d825e4003d1697fd4bc45361e222746c

SHA1
e9d4b1073aac15d4dbb430471fcaea549e633d13

SHA256
c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5

SHA512
7740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF420.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF420.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF420.tmp\registry.dll

Filesize
17KB

MD5
1af237911f21e78a1f118b14f9da3994

SHA1
b26a3ae43c22758a551744fdce89d8290b7e0059

SHA256
4f96dd3fd555a699998440f68fd881b402b7ac7a5123eec423e2173c8535bf50

SHA512
116cee1cb86b59660b9c9946c60864b7ade6b7c669da2c701b87d5d0e9ef3f72b9c9a27ece5893f1f68580c7fc9dbeced5f0145204231a2ecb595c2403a27cab

Download Submit
memory/2668-22-0x0000000002FA0000-0x000000000309A000-memory.dmp

Filesize
1000KB

Download
memory/2668-25-0x0000000002FA0000-0x0000000003051000-memory.dmp

Filesize
708KB

Download