a5eaa11b6ff9c8a7b4fab622802ee926662cc6ac2650211e9e12564a86892912

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
Size

6KB
MD5

1b061cd808047a3ebc641d163d201cd6
SHA1

e687928ec647ab3bb94d418cee32f09323e840c7
SHA256

a5eaa11b6ff9c8a7b4fab622802ee926662cc6ac2650211e9e12564a86892912
SHA512

96e4d09c667bae8978d406fa0852150464dac5dd28bf76b1267ebcd617a65e076878c8a37c764c5ed36463e84851f10380203f8f5d08b9cf07658a73512445ca
SSDEEP

96:Wes/g7cOV7tywaOi1aL8dtgWsbl25SkrVtxMhiYAU+0gL1XptniawB4omu4y6v1+:MccGDaOi1U8/VshPkBtyiYIVDZoIU

Score

7^/10

adware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2172 cmd.exe

pid	process
2172	cmd.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68363724-9abc-def0-0fed-fad682644311}	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\idmas.dll 1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\idmas.dll	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

Modifies registry class 5 IoCs

Processes:

1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68363724-9abc-def0-0fed-fad682644311}\InprocServer32	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68363724-9abc-def0-0fed-fad682644311}\InprocServer32\ThreadingModel = "Apartment"	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68363724-9abc-def0-0fed-fad682644311}\InprocServer32\ = "C:\\Windows\\SysWow64\\idmas.dll"	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68363724-9abc-def0-0fed-fad682644311}\script0001 = 18b449998991e1ebac6cbf2f4eaa1944a40f5705508596bbaf4d68d37a16271878de31442a	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68363724-9abc-def0-0fed-fad682644311}	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe

description	pid	process	target process
PID 1684 wrote to memory of 2172	1684	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe	cmd.exe
PID 1684 wrote to memory of 2172	1684	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe	cmd.exe
PID 1684 wrote to memory of 2172	1684	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe	cmd.exe
PID 1684 wrote to memory of 2172	1684	1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b061cd808047a3ebc641d163d201cd6_JaffaCakes118.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delt.bat" "
2⤵
- Deletes itself
PID:2172

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delt.bat
Filesize
248B

MD5
9d0f3e32073aa628bf149813c1a77008

SHA1
a8feafa9c0c460973fb85ca014afb9c350700e1c

SHA256
35804a9474f70e259e34057da0411a9f57c98af545cd4a647636f0503702e064

SHA512
e42bdf6b087b7a84598071a7d15e925646dd340b7d8d0ec2e604e171aa6cbeefd34883c8885eec5e33c431932e260d4a7c060f630a00f93932424dd298932cc0

Download Submit
memory/1684-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads