c138cb7ac374963c3d4cedc5964e2d93ff34491c951107d7079aa1472ede2aae

Analysis

max time kernel
106s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 03:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
Size

118KB
MD5

15ed1604d4e53d9efea6b9db60442816
SHA1

200ce47825c630b323e4ba071593be271e52b95c
SHA256

c138cb7ac374963c3d4cedc5964e2d93ff34491c951107d7079aa1472ede2aae
SHA512

5d1353753c765047d1d5ca9bcbe481542e6dc150162b929232d48777583969cb73301f91c5990884d65e3e0c225c2d7f8c18fdcacb8a3d3b24626d081050d5e1
SSDEEP

768:Vsi0NnqrjIcGA+9H5MQO7BUdLOyOLm/Cb5vTOc74Hpyfogpty2uhNqFeTCKp0JGh:VZHIcz+j0W2QA5v974JyZuCTJrv3BMe

Score

7^/10

adware discovery evasion stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
232	ScandalJamb.exe
4612	ScandalJamb.exe

Loads dropped DLL 1 IoCs

pid	Process
3612	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	ScandalJamb.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	ScandalJamb.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\TournamentVandalize\CaulkFlex.exe	ScandalJamb.exe
File opened for modification	C:\Program Files\TournamentVandalize\CaulkFlex.exe	ScandalJamb.exe
File created	C:\Program Files\CaulkKnocker\PresideImplicit.exe	ScandalJamb.exe
File opened for modification	C:\Program Files\CaulkKnocker\PresideImplicit.exe	ScandalJamb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ZAYUOZBIDUJF.dll	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScandalJamb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScandalJamb.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32\ = "C:\\Windows\\ZAYUOZBIDUJF.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ = "C:\\Windows\\ZAYUOZBIDUJF.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BAEFBE-7CF3-0EA8-3E22-080C5180AC1F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D67BE6-2A57-DB9A-2C0A-BF2753C5CC9F}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
4612	ScandalJamb.exe
4612	ScandalJamb.exe
232	ScandalJamb.exe
232	ScandalJamb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3612	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	82
PID 4252 wrote to memory of 3612	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	82
PID 4252 wrote to memory of 3612	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	82
PID 4252 wrote to memory of 232	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	83
PID 4252 wrote to memory of 232	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	83
PID 4252 wrote to memory of 232	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	83
PID 4252 wrote to memory of 4612	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	84
PID 4252 wrote to memory of 4612	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	84
PID 4252 wrote to memory of 4612	4252	15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15ed1604d4e53d9efea6b9db60442816_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\ZAYUOZBIDUJF.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\ScandalJamb.exe
  "C:\Users\Admin\AppData\Local\Temp\ScandalJamb.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:232
- C:\Users\Admin\AppData\Local\Temp\ScandalJamb.exe
  C:\Users\Admin\AppData\Local\Temp\ScandalJamb.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TournamentVandalize\CaulkFlex.exe

Filesize
118KB

MD5
15ed1604d4e53d9efea6b9db60442816

SHA1
200ce47825c630b323e4ba071593be271e52b95c

SHA256
c138cb7ac374963c3d4cedc5964e2d93ff34491c951107d7079aa1472ede2aae

SHA512
5d1353753c765047d1d5ca9bcbe481542e6dc150162b929232d48777583969cb73301f91c5990884d65e3e0c225c2d7f8c18fdcacb8a3d3b24626d081050d5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScandalJamb.exe

Filesize
28KB

MD5
6697555ead62e6b9fb71a0ffb6d62992

SHA1
55b57b52fe0d4af8716db57a98ab011b1dbe4181

SHA256
683a7e3bc4e63ba70bf88c23ae895109d19fc02c9d084ddd759a5569b56d2cd6

SHA512
36b7c24cbc5cef1ea6cca65c2054e3baae7096932bbb2caa4857d4f324407fe5a92e610d7baf979dfa881d82f9c99c74037b774967cd5d31af5a120bd9eefdf8

Download Submit
C:\Windows\ZAYUOZBIDUJF.dll

Filesize
150KB

MD5
0a34d470caf398b187dca9110979e285

SHA1
86ab4f87662544d195fb0b941a6483fecd3ab79d

SHA256
d20f0a7f695c2d6a842bfc280e1f14a04ac3921218514eb477ae7b6af59be668

SHA512
ed292ea1f479ddcf9b6a445e388b729bc6b4525e0c165e28211695062c7a976065625b6c59411c98df161d7a58605159a50fc539a507bb885e0cc643bf52fc79

Download Submit
memory/4252-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4252-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads