aceb10dd1cb6c455e0f31b80446ea9232af493c5a5e4cc6ae0befb1d4f861cac

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Size

79KB
MD5

1aaacfa5ba89e732192ef05c1af91ef7
SHA1

8c67aee19640bdf8394c31bcbfe90a6d3981516b
SHA256

aceb10dd1cb6c455e0f31b80446ea9232af493c5a5e4cc6ae0befb1d4f861cac
SHA512

4272a175ee0a1afd828ccc423482100b37f35e652524dfecd7f9ffc38e3d8e4f0816d29b081983c79eaadb64ceddd4a9e632941c96520ba74899a36b7e7b0132
SSDEEP

1536:Geff508RTuuhTDAA8//YEfsWfcBNhsBNSLzv8YpObL9YkIVerGAew4P/51x/JtSG:3ff508RTuuhTDAAY/YEfhfopLzvd7ZDd

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

pid process

464 1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cltmon = "C:\\Windows\\system32\\cltmon.exe"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\DllName = "C:\\Windows\\system32\\omhdt32.dll"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Startup = "fnGbf2"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Logon = "fnGbf2"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\StartShell = "fnGbf2"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Logoff = "fnGbf2"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Shutdown = "fnGbf2"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Impersonate = "0"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Asynchronous = "0"	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cltmon.exe	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\omhdt32.dll	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\omhdt32.dll	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\otxt16.cfg	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\otxt16.cfg	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

pid	process
464	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
464	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
464	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
464	1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

pid process

464 1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
464 1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aaacfa5ba89e732192ef05c1af91ef7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gbf6B4D.tmp
Filesize
25KB

MD5
0bfaf3b2d62e0fa99323b10003a76905

SHA1
df9a6cbb8538a730102badef0295bbbdff3574ea

SHA256
cc42f33ddf8c635697fcc186e15c572d74a18fbf3dab9510b3cd633ee33e168e

SHA512
8bbeeb39abb58f939faf2c1e2b0c801266e86ab728024ed5332941ceed13b573564dd339ed0627dd18605d66223713cc6380dd698d4b588a820aea09ef4a9755

Download Submit
memory/464-0-0x0000000000400000-0x000000000042B2BB-memory.dmp

Filesize
172KB

Download
memory/464-11-0x0000000000400000-0x000000000042B2BB-memory.dmp

Filesize
172KB

Download