Analysis

  • max time kernel
    92s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 17:16

General

  • Target

    f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    f19360fb94f2e1e3841cdfc6dbc5fa2f

  • SHA1

    eb55681f6d64687bacbc090ab257ceb85fb878f4

  • SHA256

    e73827d3293d3634e99721d2aebff884b6bd0b0dc05ee3207979fc2f905157ab

  • SHA512

    fb58afb2c0525da94cfce9c6c18e9ce963dcae53c6d6ebce0153bbd6db9ae07554848af7a602c6d0b0d7e9c3ada4771f9fb797b7470bd109b1930976196b21b2

  • SSDEEP

    24576:o/AA6D1Z0BPVRI0NMA/vpjS4Iqw3+pySSzTshe6yI7vk59Nb0sNroJ:Ow5FadIqE+pySSzTshef8ecspo

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 41 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr36280.dll
      2⤵
      • Sets file execution options in registry
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Modifies registry class
      PID:696
    • C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
      2⤵
        PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\xwr36280.dll

      Filesize

      216KB

      MD5

      54fc7ad34a3992ad54f2de2888e61b91

      SHA1

      ffca58cc2ceb6e66165243e249dbc7901a422a81

      SHA256

      4fcc806368134bf266a6c76c9f6106db411699e80bcee350c91c82f24b2d4df8

      SHA512

      057cbeb613c61639222930284443e070cc7e53fa07891b73b84c89f5e378265250e2a08f3e525fc37169d227a34c101cc55d24d74e50eb49494eee9a133c1759

    • memory/4760-3-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB

    • memory/4760-5-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB

    • memory/4760-7-0x0000000002400000-0x0000000002401000-memory.dmp

      Filesize

      4KB

    • memory/4760-8-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB

    • memory/4760-9-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB

    • memory/4760-10-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB