Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 19:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1c609d792c973110ca5c82cbc9d93ca_JaffaCakes118.dll
Resource
win7-20240215-en
3 signatures
150 seconds
General
-
Target
f1c609d792c973110ca5c82cbc9d93ca_JaffaCakes118.dll
-
Size
697KB
-
MD5
f1c609d792c973110ca5c82cbc9d93ca
-
SHA1
23738a0d2656499f28b87c4c6d5103951c47826f
-
SHA256
bb172d50396b100b73db6d34f353bd81afb6dbf56a32a746e4fb665cb48ba98a
-
SHA512
0e23aacf13d0d0e30e4b64ae2240324e92af239520fb110f53157720a962188958b33b1a63cac98e3e66872991b4e11645a408efced33f22f2ffe87cdc4802d9
-
SSDEEP
12288:IsvSN2nPRQRlENu6q8zNKoTI3dVADRz+7TSF5MRDip5OJPE9iJUYjP0t8:HKoJQrENutYLTI3wVcC5KQuM9Z9t8
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} regsvr32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f1c609d792c973110ca5c82cbc9d93ca_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3}\ regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28 PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28 PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28 PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28 PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28 PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28 PID 1512 wrote to memory of 2280 1512 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f1c609d792c973110ca5c82cbc9d93ca_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\f1c609d792c973110ca5c82cbc9d93ca_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2280
-