Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 13:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a559280434575bead6bd1d131196464_JaffaCakes118.dll
Resource
win7-20240221-en
3 signatures
150 seconds
General
-
Target
1a559280434575bead6bd1d131196464_JaffaCakes118.dll
-
Size
18KB
-
MD5
1a559280434575bead6bd1d131196464
-
SHA1
9e6cc33bf12814e7f73c6a157337d500c494d97b
-
SHA256
176def4e340f2cce635dd3b63bc7c2a8a91fbd70f431b4deebdfbb7e2d324af3
-
SHA512
e37666c0e5665eb15475f6fead7017afdcba66c14f8803d76ae369387f2f4e07f0e5dfa341e1a2e47c4aaaa4ef40621084ec4af22eac9f067b2889a2e4ede0ad
-
SSDEEP
384:B8GGfNZSH2li9TXg/9GWg7kGzrjlp026t7AQ0U4dogOe8g1:AfA8i9TE9Glt/xpo7J0jt1
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A06A1A7-9E64-4359-8556-B6EA03D69814} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A06A1A7-9E64-4359-8556-B6EA03D69814}\ regsvr32.exe -
Modifies registry class 4 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a559280434575bead6bd1d131196464_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814}\InprocServer32\ThreadingModel = "Free" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 808 wrote to memory of 1708 808 regsvr32.exe regsvr32.exe PID 808 wrote to memory of 1708 808 regsvr32.exe regsvr32.exe PID 808 wrote to memory of 1708 808 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1a559280434575bead6bd1d131196464_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1a559280434575bead6bd1d131196464_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class