Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 17:47
Behavioral task
behavioral1
Sample
ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
Resource
win10v2004-20240412-en
General
-
Target
ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
-
Size
745KB
-
MD5
ffd2bc670257842411c84c4a6123e994
-
SHA1
5b1c425594ba026865a851b715c7f2ee737a7588
-
SHA256
c92bb6c2eeeaab71d2ed244808c95d3792a7d1499a8571106a8353c5045906c2
-
SHA512
97aaf0a737be314f9be74c18c99ce3f80a133b0e4db6e57d0b45f7fbf44bab284a7a61ee595c9dd8ff8530cd2036df3c0889bf91c97ad87d9332f76b874bc041
-
SSDEEP
12288:jf1lk1Us3UG6oh+bZvSNvIk44Mf2Te9YY0s1hT9YKx0b0oCFoWx78U0nKqovpD4r:jf1QUqv4ZqIkpMosL9ByNYd78lKNkpp
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gbieh.1 = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll\" SpecialFunction" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ = "Banco do Brasil S.A." regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} regsvr32.exe -
Modifies registry class 6 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ = "GbiehObj Class" regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
regsvr32.exedescription pid process Token: SeIncreaseQuotaPrivilege 2488 regsvr32.exe Token: SeSecurityPrivilege 2488 regsvr32.exe Token: SeTakeOwnershipPrivilege 2488 regsvr32.exe Token: SeLoadDriverPrivilege 2488 regsvr32.exe Token: SeSystemProfilePrivilege 2488 regsvr32.exe Token: SeSystemtimePrivilege 2488 regsvr32.exe Token: SeProfSingleProcessPrivilege 2488 regsvr32.exe Token: SeIncBasePriorityPrivilege 2488 regsvr32.exe Token: SeCreatePagefilePrivilege 2488 regsvr32.exe Token: SeShutdownPrivilege 2488 regsvr32.exe Token: SeDebugPrivilege 2488 regsvr32.exe Token: SeSystemEnvironmentPrivilege 2488 regsvr32.exe Token: SeRemoteShutdownPrivilege 2488 regsvr32.exe Token: SeUndockPrivilege 2488 regsvr32.exe Token: SeManageVolumePrivilege 2488 regsvr32.exe Token: 33 2488 regsvr32.exe Token: 34 2488 regsvr32.exe Token: 35 2488 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe PID 2492 wrote to memory of 2488 2492 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll2⤵
- Adds policy Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken