1a14bfd8d8d6a97883dd217f0c0733f4789a39d06014baff0ca9f647e805d248

Analysis

max time kernel
140s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
Size

77KB
MD5

3f11133f9df37ba69963fddc92f3e75f
SHA1

6350ff86d201bd90a1a55125c496c59b32f65690
SHA256

1a14bfd8d8d6a97883dd217f0c0733f4789a39d06014baff0ca9f647e805d248
SHA512

d2c244f9137ac9fd8fd6be2d52821f318ae4e9dce1f2b4bb9890cd241292f76ef4e052e9a5ca1acb4f6e0a1bb1a67964dae3bd0e2d0f008e430aebae4b4968e5
SSDEEP

1536:2mQ0u4oaXubNkgzpW4iWKsuyn2biLNn30lTmYSO/dOrE1/dTTo:2mQrSuy46sN2bcNnYTmYSKNFdTTo

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	smss.exe
1536	smss.exe

Loads dropped DLL 1 IoCs

pid	Process
4116	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8130BF1A-D220-4853-86C7-675EF81C7C70}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ = "??????"	regedit.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UQZ\ILNYVYNQFI.dll	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\Survival_0.txt	smss.exe
File created	C:\Windows\reg.reg	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\H\smss.exe	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File created	C:\Windows\Survival_0.txt	smss.exe
File created	C:\Windows\userid.txt	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\tao.ico	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\t.ico	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\XKD\VKF.vbe	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ = "Qvod"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ProgID\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\TypeLib\ = "{3AF4D978-15D5-4659-B06E-CFE47FDEF620}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\ = "QvodAdBlocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\Clsid\ = "{8130BF1A-D220-4853-86C7-675EF81C7C70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\0\win32\ = "C:\\Windows\\UQZ\\ILNYVYNQFI.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ = "_Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\HELPDIR\ = "C:\\Windows\\UQZ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\ = "{3AF4D978-15D5-4659-B06E-CFE47FDEF620}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ = "_Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\ = "{3AF4D978-15D5-4659-B06E-CFE47FDEF620}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\InprocServer32\ = "C:\\Windows\\UQZ\\ILNYVYNQFI.dll"	regsvr32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1080	regedit.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
2344	smss.exe
2344	smss.exe
2344	smss.exe
1536	smss.exe
1536	smss.exe
1536	smss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2252	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	87
PID 4216 wrote to memory of 2252	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	87
PID 4216 wrote to memory of 2252	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	87
PID 4216 wrote to memory of 4116	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	88
PID 4216 wrote to memory of 4116	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	88
PID 4216 wrote to memory of 4116	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	88
PID 4216 wrote to memory of 2236	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	89
PID 4216 wrote to memory of 2236	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	89
PID 4216 wrote to memory of 2236	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	89
PID 4216 wrote to memory of 2344	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	91
PID 4216 wrote to memory of 2344	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	91
PID 4216 wrote to memory of 2344	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	91
PID 2236 wrote to memory of 1080	2236	cmd.exe	92
PID 2236 wrote to memory of 1080	2236	cmd.exe	92
PID 2236 wrote to memory of 1080	2236	cmd.exe	92
PID 4216 wrote to memory of 1536	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	93
PID 4216 wrote to memory of 1536	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	93
PID 4216 wrote to memory of 1536	4216	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\XKD\VKF.vbe" 0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\UQZ\ILNYVYNQFI.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regedit.exe /s C:\Windows\reg.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Windows\reg.reg
    3⤵
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:1080
- C:\Windows\H\smss.exe
  C:\Windows\H\smss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Windows\H\smss.exe
  C:\Windows\H\smss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\H\smss.exe

Filesize
68KB

MD5
b360a5d6ebafeca7b928e870d60d313e

SHA1
13d54b73843603fd86cabde7f8bd45b5dde9e1c9

SHA256
be12ba429afb3f0aad0d03f2bfca19842c07deb5a622f9651b9e36b774f76635

SHA512
e78b8fdb525c78e985dd2099b65c89b21d5f75c1f1a7ffddfbdab2b57cdc22c4a96e36b6703318f894664e905446e5d4cd44656dc91e7198b2d44f87d4eb7683

Download Submit
C:\Windows\Survival_0.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Windows\UQZ\ILNYVYNQFI.dll

Filesize
2.9MB

MD5
e584d9fba7c42ed0bc45480e57edf79f

SHA1
66a3d003401602d55c87fc06636c50a8a75764af

SHA256
4b535bdf12d45169e0f5b4bf092e9600afae5c1236952a96babe2e8b6b29140a

SHA512
a463c5156b57f0e3f16384e9b7c27e005656c18f8c2d4f86408c4931666fb61961b9f54cacfc8e0063fafa032f5b196cc7f81e7bd882df9edf76e6ec28a1b47b

Download Submit
C:\Windows\XKD\VKF.vbe

Filesize
1.4MB

MD5
6b207acfadf906a07df549e214dd367f

SHA1
ff593c0d63ac8295860d08125feb7ab6690c0887

SHA256
63c39b44c2edf0d767a2397150cca462a77d5f812dc7c328698be7802f60a064

SHA512
df69771c40edc85de84481fda44eefdb86a572296b4b2697b4600731bd879e8c370bb1521de3155f5fac175f8389b5cfa128b3ea0866024fb8027e7807198b6c

Download Submit
C:\Windows\reg.reg

Filesize
185B

MD5
8c60338daede12257ecea2129aceea7a

SHA1
cb7921ca7fc11a04c3f1230a4676769656a1af44

SHA256
03c1eccc1d53b3bf3fd5b36f8f05ed242b2c023423708aee1b819e2764bd78f2

SHA512
a948da636a6a26e0aa0e711a0c66b1aaf53f9c7b3a73e34a1a7ca93884742637f4a155d6dba28a19c6c64685a20555147308fc46fd4a66996a5eed8e2bd5238c

Download Submit
C:\Windows\userid.txt

Filesize
5B

MD5
3719bc4d13977453b5d8c9d8f1e7462a

SHA1
c24505bcdb2b09980198730cd4791acad1796dcc

SHA256
197a4e2a0db3b79c8240827c9ea2ed1476c8a5ad7e22c02c832ba3a0a8bff9a1

SHA512
9bebfe9c377389f34afd15c2f4e2b027edfec3ec4883f0df09c8a0e4d22dbb9692eb8b4264c89165bc336c458e5488a7cd743bd5f99ae5d4b71a8b3c2805f1a5

Download Submit
memory/4216-0-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4216-55-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download