f4781d6b4c16962f033aa8dabc0875f1d7bb29c48520fa6883bfb3b316624b2d

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Size

26KB
MD5

2b41ca1c7327cf44d84e3b015bb86a9c
SHA1

b5d7293923ba6203dd0aa8819a7d902614e5726a
SHA256

f4781d6b4c16962f033aa8dabc0875f1d7bb29c48520fa6883bfb3b316624b2d
SHA512

a5cd42b665225c51ce4b9554cb0f57e763a56bf13b448c87d9f4a6e1a0c007481570b9502a53819463e5831689872243a1d30e74f0f53c419f8e0676564330ec
SSDEEP

768:Xbs0hxm5QyhuMkmPP8cXK4I+QRb4k4v9:Xbsr5Qy7EcXKV98ks

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\user32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe"	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	iesmin.exe

Loads dropped DLL 1 IoCs

pid	Process
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E26CEADA-67B0-4543-BE8B-307F00265118}\	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E26CEADA-67B0-4543-BE8B-307F00265118}	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b9c-6.dat	upx
behavioral2/memory/4796-7-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4796-9-0x0000000000400000-0x0000000000407000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iesmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Search	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E26CEADA-67B0-4543-BE8B-307F00265118}	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E26CEADA-67B0-4543-BE8B-307F00265118}\xxx = "xxx"	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E26CEADA-67B0-4543-BE8B-307F00265118}\InprocServer32	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E26CEADA-67B0-4543-BE8B-307F00265118}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iesplg.dll"	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E26CEADA-67B0-4543-BE8B-307F00265118}\InprocServer32\ThreadingModel = "Apartment"	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
4796	iesmin.exe
4796	iesmin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 4796	1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe	83
PID 1864 wrote to memory of 4796	1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe	83
PID 1864 wrote to memory of 4796	1864	2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b41ca1c7327cf44d84e3b015bb86a9c_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\iesmin.exe
  C:\Users\Admin\AppData\Local\Temp\iesmin.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iesmin.exe

Filesize
5KB

MD5
9ad12f0b9370ccf90f0bed5023d1e9cf

SHA1
e893a9eccbf99a4bda22562e895d6134b79a0ed8

SHA256
67611a4ae606b0ac19b72dfa29f8e198b8ddb07520ea011cbbf607fa21fc96e2

SHA512
9ad931054c039fc88e48701f22aa6b94ba23ecac0e51b51f80b3512605acd3d55e334248399f906e9deb5cd694b3c013ae53b47377f188d119c2e90d89cac447

Download Submit
C:\Users\Admin\AppData\Local\Temp\iesplg.dll

Filesize
10KB

MD5
847b66b341108daa19113c48c22a6711

SHA1
14dde8b8eeac8c8051cf497baf98de2eea20b502

SHA256
5fe7f90a0a1fe98bca49aae9d8eb985dcea900e3092e8b9bf6e190be21229695

SHA512
75b8c4680fa22498372824cc09d97da4cc6576aec07d5a44d509b70e016903cb4429e8867c0fa38c9f7c7f09454eb8922fad59ec24ec5c3629a9c831702e200d

Download Submit
memory/4796-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4796-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download