e1f619f440e6fa957d563ab4ed0e38d95c7b29b46b5e93ffb4075cdced027443

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
Size

331KB
MD5

277ca3aa4a3aeddb75c7c02f7c6dfca6
SHA1

d96988333d2222826b83423598b3334f6ea7ec61
SHA256

e1f619f440e6fa957d563ab4ed0e38d95c7b29b46b5e93ffb4075cdced027443
SHA512

f8ec18573a290de799262e0d486c29c2127f8f16c8b60223c23ac8e9e8e0a3b90f6be6e251999929c838506ab21ac27bc107a8c9109a2a1b63cf21fbd6e803fd
SSDEEP

6144:WXXE1Q0ucQ9lIIo28ohm7YV1NnUH1DrlCQ/XzmsKcWKHA0e/nq:buII2o47MUH196sKr7/q

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
1632	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}\NoExplorer = "\"\""	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nseE6E9.dll	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
File created	C:\Windows\SysWOW64\adzgalore-remove.exe	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}\InProcServer32\ = "C:\\Windows\\SysWow64\\nseE6E9.dll"	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}\InProcServer32\ThreadingModel = "Apartment"	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}\ = "adzgalore"	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a08d4c9f-f815-62b5-9b51-326a9dbef9c0}\InProcServer32	JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_277ca3aa4a3aeddb75c7c02f7c6dfca6.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nseE69A.tmp\Math.dll

Filesize
66KB

MD5
468914ab4ea3afc6fda29031c758394e

SHA1
d3b632778a03567efa761401151bfe80d0fe956c

SHA256
8a8d78657f0f6b44f18b16e7eea3e62eef6720e04cd2efc820d62bbe987afac1

SHA512
0b3df17a3a17a82ba7092ff384c7d820d9f1103fcfa732fb399cf0ff065ec6913a73bea433e19ad787bccf272059e39d196322445d9a6327bb25738f343926ce

Download Submit
\Users\Admin\AppData\Local\Temp\nseE69A.tmp\NSISdl.dll

Filesize
14KB

MD5
997ae296af5b7ca9aaa52f6844075439

SHA1
9814f0b09219ac2eed875d842b9362c3b32bec6f

SHA256
1d74275fb0ddcb7c01a92c4ea5c7ef137cdfa0b48ae2b293f0ea178b355cbaa8

SHA512
a81ee17129278a185e91f6615da2d9e47940580fcaac3806ace17a0c0e48995f8e85de6deedcec502782141acd381fb7dd1c72a93fcd40112afadc3741572349

Download Submit
\Users\Admin\AppData\Local\Temp\nseE69A.tmp\System.dll

Filesize
10KB

MD5
32465a07028b927b22c38e642c2cb836

SHA1
309cac412b2ecf6a36f6e989c828afcdd8c7a6e4

SHA256
eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292

SHA512
9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

Download Submit
\Windows\SysWOW64\nseE6E9.dll

Filesize
306KB

MD5
069b38d65b12c89ce5531da46359cd7e

SHA1
f041d92369f971b6d46d8bd63b3b773c51833dcb

SHA256
c536e06b05d752d1e9cbe134c5b8e764dd0aff943c6d5ac63c8c7a73fa24b39c

SHA512
013763c11e330c87a70677006d489a58a7cb3d615359b6ee3d8b895191fea2b8fed9f31eb2631e84e2ab29718f3de0fa079dadf69cd0e58e2a318a942ccfa277

Download Submit
memory/1632-45-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/1632-54-0x0000000002830000-0x0000000002882000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads