a145f96d2f852ffcbb6f4b29db5761d829bb7e66ecfa4c9369a085ba9453ffb7

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b00730eabed223fd065e499c4722147_JaffaCakes118.exe
Size

1.2MB
MD5

3b00730eabed223fd065e499c4722147
SHA1

5bfaa0fb67aedf0b24d10257dc1a6fb8bda42cf7
SHA256

a145f96d2f852ffcbb6f4b29db5761d829bb7e66ecfa4c9369a085ba9453ffb7
SHA512

c651d2ea13cae8a1e46856ea0a352e7eda45def3779091e476a11aaa147a6f91a1024e8d74615e15f9acd84b77bd48d25be1207840d05bb75889b3b87f50f0dc
SSDEEP

24576:h1OYdaOGIEMNRZbkXIyx0jPohfjOyBu9hyHH8+UhnWb3aQM:h1Os9EMNRZbkXIyx0jPKJuvyHH8hWGQM

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2728	VxXWX9R4H.exe

Loads dropped DLL 4 IoCs

pid	Process
2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe
2728	VxXWX9R4H.exe
2508	regsvr32.exe
2528	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgnakiddpedbmeliiokkmmdjolbmpobb\5.10\manifest.json	VxXWX9R4H.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\ = "siaVensheare"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\ = "siaVensheare"	VxXWX9R4H.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\NoExplorer = "1"	VxXWX9R4H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	VxXWX9R4H.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\siaVensheare\RJwrcueL.dll	VxXWX9R4H.exe
File opened for modification	C:\Program Files (x86)\siaVensheare\RJwrcueL.dll	VxXWX9R4H.exe
File created	C:\Program Files (x86)\siaVensheare\RJwrcueL.tlb	VxXWX9R4H.exe
File opened for modification	C:\Program Files (x86)\siaVensheare\RJwrcueL.tlb	VxXWX9R4H.exe
File created	C:\Program Files (x86)\siaVensheare\RJwrcueL.dat	VxXWX9R4H.exe
File opened for modification	C:\Program Files (x86)\siaVensheare\RJwrcueL.dat	VxXWX9R4H.exe
File created	C:\Program Files (x86)\siaVensheare\RJwrcueL.x64.dll	VxXWX9R4H.exe
File opened for modification	C:\Program Files (x86)\siaVensheare\RJwrcueL.x64.dll	VxXWX9R4H.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VxXWX9R4H.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	VxXWX9R4H.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	VxXWX9R4H.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	VxXWX9R4H.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	VxXWX9R4H.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\InprocServer32	VxXWX9R4H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\ProgID	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa.5.10\ = "siaVensheare"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\siaVensheare\\RJwrcueL.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\CLSID	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\CurVer	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\InprocServer32\ThreadingModel = "Apartment"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa.5.10\ = "siaVensheare"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\siaVensheare\\RJwrcueL.tlb"	VxXWX9R4H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\ProgID\ = "saaveeNSharEa.5.10"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\siaVensheare\\RJwrcueL.tlb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\VersionIndependentProgID	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa.5.10	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\CLSID\ = "{F41AF968-0654-E587-3FDB-7C8983CD38DD}"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\Implemented Categories	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\ProgID\ = "saaveeNSharEa.5.10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\CurVer\ = "saaveeNSharEa.5.10"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\ProgID	VxXWX9R4H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\InprocServer32	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\siaVensheare"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\CLSID\ = "{F41AF968-0654-E587-3FDB-7C8983CD38DD}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\ = "siaVensheare"	VxXWX9R4H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\VersionIndependentProgID	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\CurVer\ = "saaveeNSharEa.5.10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\VersionIndependentProgID\ = "saaveeNSharEa"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\InprocServer32\ = "C:\\Program Files (x86)\\siaVensheare\\RJwrcueL.dll"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	VxXWX9R4H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	VxXWX9R4H.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\saaveeNSharEa.saaveeNSharEa\ = "siaVensheare"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD}\InprocServer32\ = "C:\\Program Files (x86)\\siaVensheare\\RJwrcueL.x64.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2728	2240	3b00730eabed223fd065e499c4722147_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2728 wrote to memory of 2508	2728	VxXWX9R4H.exe	32
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33
PID 2508 wrote to memory of 2528	2508	regsvr32.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{F41AF968-0654-E587-3FDB-7C8983CD38DD} = "1"	VxXWX9R4H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	VxXWX9R4H.exe

C:\Users\Admin\AppData\Local\Temp\3b00730eabed223fd065e499c4722147_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b00730eabed223fd065e499c4722147_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\VxXWX9R4H.exe
  .\VxXWX9R4H.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2728
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\siaVensheare\RJwrcueL.x64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\siaVensheare\RJwrcueL.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\RJwrcueL.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\RJwrcueL.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\RJwrcueL.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\VxXWX9R4H.dat

Filesize
5KB

MD5
4de226b1bad80aa2cc5e41aec11f7669

SHA1
e306afb8fa42d29d5176eca2c08a81dee7ebcaad

SHA256
fd4f5d72a942175988251203feb81f05420d1093bd68a74f2f28786311214e91

SHA512
772211b1c6a2de030c3a1c2654a64b534c620009a042a10fa02809b46fedc6166a739e57e10e091cbf7905919d3052d715dccbe114a2e9431857c7589ac0411d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\ch.txt

Filesize
32B

MD5
07a759d93c50247a1bf75b55005d9a20

SHA1
39fa59ee8ea69250e10b284f71913e06cbd3edc1

SHA256
34dbbb51a0b3a97114da6aebc6f8d2f84a14309f432599215f4ba54bae514de5

SHA512
660ea1ea997de634e6d12070a634725dd6fd9f10f435d19be5e92b1202ab54c2df15f9302d926f1d8fbabe0e7f60c005b7a74e9386c6d1848935d6f360facc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\[email protected]\chrome.manifest

Filesize
110B

MD5
bed79c28d849391d5c359bb614f18aca

SHA1
4bb90f1063f6b967ab1ea0fe935159fa80a16f2d

SHA256
29c9a9e180b1238993b538f576c2c92df2caef8dec9f485a62a6e2babbb63c13

SHA512
f0afe6190695ae0167c723e188b0e7b186ecb9f30e5a7ee9cdea469cffa4a507fdbaaf9c32354cd0c2454f8228c2490bd8d3a9c18418732a9aaba3c417d733af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
396f0c96da35e8db096dbfb1787355a4

SHA1
c8f4dffbd28c065fcc32e05e1f74f0c010a4e4b4

SHA256
0b5c67fd02865a4cae8e975a2b9cdef30a391792c8e245509a9516760306ed10

SHA512
098abfd385fdb15f55298ead9d6319890f281db9120838f950607e79406b14007388893a4eea4b5de2703e7c1678886168c2d2a19b6fc566bb08ce1392821576

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\[email protected]\install.rdf

Filesize
613B

MD5
f648132e1763a6f6c06953d65e318884

SHA1
7bd7189380ac6ad677fb674992be7bf12565c8aa

SHA256
10e1223d33cd4f2f765b4c4bda18f9f441882d6246c8d4aa6911b969b581dade

SHA512
4d3c7fae31ba9c71e4874ba291131456e2523cc115d549b3a9c182ecbce9e7c7c83f6be1fbfbc1eb410018dd28f421ea7b50411f3d209b5b63a8728de273d26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\jgnakiddpedbmeliiokkmmdjolbmpobb\FxhqEkddL.js

Filesize
4KB

MD5
a714c3d2ed2e209c670d003950a4f358

SHA1
1b0a00d371f9eb6b92ab7b622be887351d07473b

SHA256
1a25a8c72f537e632130242d1a6b224822095fdb94ec3869c620fcdd48cf3889

SHA512
95293c71f45486e17c757a6dc837e4a058803bcb842d371352077437b8ee43652f5f1a9d6d5182b7f3c630d96a47452d2ac6ff37a81a01a3a56f49cc8321464b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\jgnakiddpedbmeliiokkmmdjolbmpobb\background.html

Filesize
146B

MD5
6a28fde0dccb5502b3ccf0748f8e8936

SHA1
79d3fe0c9229d11c618fc5a5afa90e6a9b6741e5

SHA256
3bf6add5003f3fdcec64e1247a07ea72b2b4bc30c8b4e6c5d68ceb9ec767d4bc

SHA512
e902cc533a1ffc4da5b006dc917b97979272f4760e94ff606a5870169306ecbbab1febf7a082b69602d7c0bc51248a63c4a33c7969315d1388a5fabe7170d8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\jgnakiddpedbmeliiokkmmdjolbmpobb\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\jgnakiddpedbmeliiokkmmdjolbmpobb\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\jgnakiddpedbmeliiokkmmdjolbmpobb\manifest.json

Filesize
507B

MD5
206f8ea9fc21b82ddf24a4baa9d8272f

SHA1
54d7c17ab9e6f4b7bd066fe88f723e0bffbc369a

SHA256
f0de3f11b2c2e59ff67205c9667b414a0b4bc298980a0f52fb3c889493a371c4

SHA512
8fa29e6cb10e4bdbf214c3eae9362c2e4cc25f523a92d78912ccd4692582ebf5b21c5a49f6417561263f5dec847e7002279b89d6184a00c73e21dcdcc411f189

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE485.tmp\jgnakiddpedbmeliiokkmmdjolbmpobb\sqlite.js

Filesize
1KB

MD5
08782fe54eccd850f10e44409a5c3445

SHA1
00ccc3daf716202f6f7cdb6ee22a4abb558754e7

SHA256
2b192a7c078c003fea95c04b40436e14ef12efa61d791cf8cdfd41b4e58066f0

SHA512
3b9188cf0023b0d326a32526bd73205d3d2550e34e0bbe7f2ed7e266c6bdb22bfaed64aa63c885b325122dd74a73ad46304794392f9c3d83a2bc4856abe6aec1

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE485.tmp\VxXWX9R4H.exe

Filesize
470KB

MD5
297c46f413d3c5c5b46e335adf199c09

SHA1
2315be5c129efe4fac36850b225ca2ebeec196ae

SHA256
edb17bd5a6416faeb179d4b72d8f91aaf1c21bf7001fd40f2d1947b90d636a1f

SHA512
6302b38cfcccc45545baad1cfa849700df61b20bce351f2b1f8eb94b21187718ccd080720cc2cfec6122c870b33b914e2f0deb7aa8cee1cc9efd476dbb71b0e0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads