6d40ef7c401bceff1c007139ade12cb340b65c417af8403bcd1d43f403196ec0

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe
Size

277KB
MD5

27a1a0664e032fbc633d1f191b883227
SHA1

402388a316f3166cca0d1b1d55788d182b217823
SHA256

6d40ef7c401bceff1c007139ade12cb340b65c417af8403bcd1d43f403196ec0
SHA512

be9a7b7ff195ee56ed5051a97b0cadda583f21f6c61b4eeaa2d4ce90cb92838a486869fedc279eebb1bbad49c7c9bbcea983951f6af05e614842d133984e0607
SSDEEP

6144:yuosqxoUo62bLTZuifHeVvNXwgQ3lzJxnTYICHDxYsprsJjNS:yqqxoUorbLTZRfH+tPQrNY7jxY6rs/S

Score

10^/10

adware defense_evasion discovery stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8984B508-91D3-4352-8DCA-A7C58203BBA7}	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-0-0x0000000003010000-0x00000000030EE000-memory.dmp	upx
behavioral1/memory/1832-2-0x0000000003010000-0x00000000030EE000-memory.dmp	upx
behavioral1/memory/1832-5-0x0000000003010000-0x00000000030EE000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B508-91D3-4352-8DCA-A7C58203BBA7}\InProcServer32\ThreadingModel = "Apartment"	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B508-91D3-4352-8DCA-A7C58203BBA7}	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B508-91D3-4352-8DCA-A7C58203BBA7}\InProcServer32	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B508-91D3-4352-8DCA-A7C58203BBA7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\rlipwyoa.txt"	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27a1a0664e032fbc633d1f191b883227.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
- System policy modification
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1832-0-0x0000000003010000-0x00000000030EE000-memory.dmp

Filesize
888KB

Download
memory/1832-2-0x0000000003010000-0x00000000030EE000-memory.dmp

Filesize
888KB

Download
memory/1832-5-0x0000000003010000-0x00000000030EE000-memory.dmp

Filesize
888KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads