1ab205eb6abc3a4a90d278afa261886827955242af86fa448c51ed49c626cb03

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe
Size

163KB
MD5

280d6ae4fe54d19f6ce9930cbc6772a3
SHA1

f1ff0557fe8324c50d93b0f50201a097d68d06a9
SHA256

1ab205eb6abc3a4a90d278afa261886827955242af86fa448c51ed49c626cb03
SHA512

e825b91f968b6ee3aff3b218af5cbe9bc3a2aeb5bf7350cba558e42a192c54157fd42665649a4226de97582ff099391a0563bb2e4a59665dc62383f93fcd66ce
SSDEEP

3072:WxY3o6KKf/YyxDddbFdeG5zAUESrHre/PWXQdzjmkMh3mKS1oNEivLnPGv8V:WY3ErSddDeG5zF9bre/uX6zB+3mH1o+Y

Score

6^/10

adware discovery stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D729831-A44A-4D03-900C-292F8CBAED13}	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D729831-A44A-4D03-900C-292F8CBAED13}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D729831-A44A-4D03-900C-292F8CBAED13}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D729831-A44A-4D03-900C-292F8CBAED13}\InprocServer32\ = "C:\\xp2008.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D729831-A44A-4D03-900C-292F8CBAED13}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D729831-A44A-4D03-900C-292F8CBAED13}	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29
PID 2052 wrote to memory of 2172	2052	280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\280d6ae4fe54d19f6ce9930cbc6772a3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\xp2008.dat
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\xp2008.dat

Filesize
121KB

MD5
782d220987d2abc6975b2d471f636740

SHA1
d06002a9facba9de6b9123821a2915955e5d58ff

SHA256
a3940649b32351d1c5792a499a8869322f9ce7d966a10006a5fbece9ecc788cb

SHA512
58a6df4735bca916e13ad5011b08249307cec8789a189380e5b261bb55ecae1882a38a529dc32821f01258307d7327946e36a084cd63655c9574921f8948ccd6

Download Submit
memory/2052-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-2-0x00000000001F0000-0x0000000000213000-memory.dmp

Filesize
140KB

Download