9f6b696316da1729bbaf62f60f6e693abc8c78dfdf3aa7cfb34e31b4604edb89

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Size

214KB
MD5

1aac0aa6a4ac15674394c90f74f5e7b9
SHA1

c1d57d25a5ab0de911727d6d066d4fed5badaeff
SHA256

9f6b696316da1729bbaf62f60f6e693abc8c78dfdf3aa7cfb34e31b4604edb89
SHA512

1784c4ca50c411b5d9a5af59e6cac524bc227ef73d081a5c27891e79c8c607f0f06a477e7d006e3f6fbc0e823ca94803d6a24d3bb29eda2f12365094343e6ea9
SSDEEP

6144:KKteNh8kTdbRF1xdc24gdreO8M2p1zoeKeI:Zteddtt/4qr1azoe

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

pid process

1616 1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

pid	process
1616	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}\ = "tlslibP"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}\NoExplorer = "1"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

Modifies registry class 64 IoCs

Processes:

1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}\InprocServer32\ThreadingModel = "Apartment"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny\CLSID\ = "{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Mwwetiuirxfjh.1	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny.1\ = "tlslibA Class"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny\CurVer	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}\ProgID	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Mwwetiuirxfjh.1\ = "tlslibB Class"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Mwwetiuirxfjh\CurVer	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\TypeLib\Version = "1.0"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{19AA3E05-B074-47E2-BF03-176614EA028E}	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}\InprocServer32\ = "C:\\ProgramData\\tlslib.dll"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\TypeLib\ = "{E8F02988-06C9-4504-8862-08BBDF8D54E7}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\TypeLib\Version = "1.0"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\ = "IMwwetiuirxfjh"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\NumMethods\ = "7"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Mwwetiuirxfjh.1\CLSID\ = "{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8F02988-06C9-4504-8862-08BBDF8D54E7}\1.0	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\TypeLib\ = "{E8F02988-06C9-4504-8862-08BBDF8D54E7}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\TypeLib\Version = "1.0"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\TypeLib	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\InProcServer32	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\{070E2C5C-40D8-4A0A-9F39-9C642B5662DA} = 74006c0073006c00690062002e0064006c006c00	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}\TypeLib\ = "{E8F02988-06C9-4504-8862-08BBDF8D54E7}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\ProxyStubClsid32	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\NumMethods\ = "7"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8F02988-06C9-4504-8862-08BBDF8D54E7}\1.0\ = "tlslib Type Library"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\ProxyStubClsid32	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\NumMethods	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\tlslib.DLL\AppID = "{19AA3E05-B074-47E2-BF03-176614EA028E}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}\TypeLib	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}\InprocServer32\ThreadingModel = "Apartment"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\TypeLib\ = "{E8F02988-06C9-4504-8862-08BBDF8D54E7}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\ProxyStubClsid32\ = "{5E57FE12-B216-4C83-93C0-74D08E34E2D8}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny.1	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny\CurVer\ = "2"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\TypeLib	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\ = "PSFactoryBuffer"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8F02988-06C9-4504-8862-08BBDF8D54E7}\1.0\0\win32\ = "C:\\ProgramData\\tlslib.dll"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8F02988-06C9-4504-8862-08BBDF8D54E7}\1.0\HELPDIR\ = "C:\\ProgramData\\"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\TypeLib\ = "{E8F02988-06C9-4504-8862-08BBDF8D54E7}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}\VersionIndependentProgID\ = "tlslib.BClass"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8F02988-06C9-4504-8862-08BBDF8D54E7}\1.0\FLAGS\ = "0"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\TypeLib\Version = "1.0"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}\InprocServer32	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E57FE12-B216-4C83-93C0-74D08E34E2D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\{E4BF93C1-D1E0-422E-82C1-8338FE72BA0B} = 7b00360045003400380041003900300043002d0046003400420044002d0034004500310032002d0039004400420034002d004300350032003000450042003900380031003300460031007d00	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny.1\CLSID\ = "{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\ = "IPtiovesnjqgny"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny.1\CLSID	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E48A90C-F4BD-4E12-9DB4-C520EB9813F1}\TypeLib\ = "{E8F02988-06C9-4504-8862-08BBDF8D54E7}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8F02988-06C9-4504-8862-08BBDF8D54E7}\1.0\0	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\ProxyStubClsid32\ = "{5E57FE12-B216-4C83-93C0-74D08E34E2D8}"	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E01CD27-3478-4B44-A832-7A8BDC4F1CA2}\Programmable	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mesmobpvzmirxnj.Ptiovesnjqgny\CLSID	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72443DA-6517-4127-85F0-E57E40193EF3}\ProxyStubClsid32	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID	1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aac0aa6a4ac15674394c90f74f5e7b9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1268 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tlslib.dll
Filesize
323KB

MD5
98100dff0a655791425e997e16521a9f

SHA1
8f6646dceecfcfc9f9d1dbc7f08826658ad69067

SHA256
c4edc8e9fa33715fbc9d182f44984fd6964bf085bc98a198527414dc32781264

SHA512
70bedd8edcebab38c2072412d223d01b22f99458c0d6ce8346af123128fd199ef2b17cc16d95599ce574da978eb52c81b63e7ca60c8c0f3bb62acef2f0ed1a8e

Download Submit
memory/1616-0-0x0000000000450000-0x0000000000487000-memory.dmp

Filesize
220KB

Download
memory/1616-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-7-0x0000000000450000-0x0000000000487000-memory.dmp

Filesize
220KB

Download