6fe560e73f3edfd32397a9fc5c290c8c402a7fa0b4a0678ecf0511bcf8356a9a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Size

989KB
MD5

1ab84267bcad706d392e9fd1802d28c6
SHA1

ec76d77d18a641602da0f5b99527d7d4bfe4ae33
SHA256

6fe560e73f3edfd32397a9fc5c290c8c402a7fa0b4a0678ecf0511bcf8356a9a
SHA512

4ef0d5c122eee64e52debcea7289645b7f77b8c23f24cd5d69f104745d468bff1b5f8c0eb9bc0ae9b0e7f0722a314c89cd433ec1ff5b9ffd95fd930233c90432
SSDEEP

24576:GJKHP49948yo2hM5ls1iYgBrSGIQm+aOQ+8ampnNZgIe0GO637EBRxdd:GUwnyoVlZU1

Score

7^/10

adware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1584 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2588 regsvr32.exe

pid	process
1584	cmd.exe

pid	process
2588	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\taobao.ico 1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Drops file in Program Files directory 1 IoCs

Processes:

1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description ioc process

File created C:\Program Files\Hotspot Shield\HssIE\HssIE.dll 1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\taobao.ico	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Hotspot Shield\HssIE\HssIE.dll	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\newicon.ico	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
File opened for modification	C:\Windows\newicon.ico	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 24 IoCs

Processes:

regsvr32.exe1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell\ÊôÐÔ(&D)\Command	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.wz1122.com"	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\ = "HotspotShieldÄ£¿é"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\Clsid\ = "{62DEE62E-4DC6-4824-9AE4-28D2B5784879}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\DefaultIcon	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell\Open(&O)	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell\Open(&O)\Command	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\ = "HotspotShieldÄ£¿é"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\ProgID\ = "HssIE.HotspotShieldÄ£¿é"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\ = "Internet Explorer"	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\ShellFolder\Attributes = "10"	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\InprocServer32\ = "C:\\PROGRA~1\\HOTSPO~1\\HssIE\\HssIE.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DEE62E-4DC6-4824-9AE4-28D2B5784879}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HssIE.HotspotShieldÄ£¿é\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\ShellFolder	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\DefaultIcon\ = "C:\\Windows\\newicon.ico"	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell\ÊôÐÔ(&D)	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71F07D79-F78A-48F4-9A6A-BABD68BDFCBE}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe

description	pid	process	target process
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 2588	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	regsvr32.exe
PID 2240 wrote to memory of 1584	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1584	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1584	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1584	2240	1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ab84267bcad706d392e9fd1802d28c6_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files\Hotspot Shield\HssIE\HssIE.dll" -s
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\qpg.bat
2⤵
- Deletes itself
PID:1584

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Hotspot Shield\HssIE\HssIE.dll
Filesize
512KB

MD5
0f23c49589ff70797f64b778ef41ced6

SHA1
709c794ca959247dd7c87da5994d431afe17ecd5

SHA256
8602855687ca24fc3bb16bf13bb543ef759906229f6470f74b26c48bed471937

SHA512
a01abbb457b4b0496c983933246bb4d9e974f740849a1d9123a0e6cc7202ba2f38cb1bc1fa0ccc5994947bafe393c08f62482bcbbf44847c1c0a062cbab6db6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpg.bat
Filesize
212B

MD5
c396ea76aac04e4c31a964a586eaebed

SHA1
50f241b17af0541c3adfc19145897abebef9aeac

SHA256
0141100b2a337d7f8f70d3a18d683e52a61fa6811710cf58906f7691fc3efa2b

SHA512
a7c6ecfa4622ba48dce7e3bfbe28d0c7d71083637aab52403bb745586357b31b45aacd7d1c2b3ab408c5c6b17eee7b182c88f5fd7cd8bf20cdefc03e485f34aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Filesize
1KB

MD5
89c71103a26d6550a921cb51bf4d9616

SHA1
f583c9f7484e0d80555f34f26888d99df1b62ff1

SHA256
1bf75f2ce95c2cf8574e06a6711d2133e66e8e6e7bc12865ac26f6644cebf174

SHA512
f82cbb76de5bc9b9bcc9563892b64016d88b0aca87d5193010a40e7b7c92bb2d4bc18bd3bda87fbf1ead29ee87bfc083c7da0851703f3834155a2a9beafd9189

Download Submit
memory/2240-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2240-5-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2240-7-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2240-30-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2240-38-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2588-4-0x0000000000300000-0x0000000000385000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads