Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 08:01
Behavioral task
behavioral1
Sample
1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe
-
Size
32KB
-
MD5
1a86f5159d4eb8ca203f69d11efe5cc6
-
SHA1
8526e3febfd0df033e5ffdcdf8b2a3daf7aa5733
-
SHA256
f94b4de3afbb7359713dc9bf1eb082da34eee272898d4d9e21e294b44d1e1d42
-
SHA512
8ddc13b0e555a17cb033f0f723c4824d5f146745470cec1ad4c1c55ce5a76a7e7aa1b04a6af61ad18f1eb10084905f1aabcc812cfdf5bd1fbc5b17baa8f4b39b
-
SSDEEP
768:NdFibdzyHOCL/bqYTg8Mv5aXbI+jLb0xZFjIbAuBr1V0Lz:bYbdzyu+PEHmbJ4x3IEO1V0H
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2204-0-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2204-2-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2404-3-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2404-5-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D47A61B8-0EAB-417F-8DF4-5C949982A2AF} 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
Processes:
1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exedescription ioc process File created C:\Program Files\Internet Explorer\PLUGINS\Windows64.Sys 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe File created C:\Program Files\Internet Explorer\PLUGINS\WindowNt64.Jmp 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe File created C:\Program Files\Internet Explorer\PLUGINS\WindowNt64.Jmp 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe -
Modifies registry class 5 IoCs
Processes:
1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47A61B8-0EAB-417F-8DF4-5C949982A2AF} 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47A61B8-0EAB-417F-8DF4-5C949982A2AF}\ 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47A61B8-0EAB-417F-8DF4-5C949982A2AF}\InProcServer32 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47A61B8-0EAB-417F-8DF4-5C949982A2AF}\InProcServer32\ = "C:\\Program Files\\Internet Explorer\\PLUGINS\\Windows64.Sys" 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47A61B8-0EAB-417F-8DF4-5C949982A2AF}\InProcServer32\ThreadingModel = "Apartment" 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exedescription pid process target process PID 2204 wrote to memory of 2404 2204 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe PID 2204 wrote to memory of 2404 2204 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe PID 2204 wrote to memory of 2404 2204 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe PID 2204 wrote to memory of 2404 2204 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe 1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a86f5159d4eb8ca203f69d11efe5cc6_JaffaCakes118.exe" Z2⤵
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-0-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2204-2-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2404-3-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2404-5-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB