c92bb6c2eeeaab71d2ed244808c95d3792a7d1499a8571106a8353c5045906c2

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
Size

745KB
MD5

ffd2bc670257842411c84c4a6123e994
SHA1

5b1c425594ba026865a851b715c7f2ee737a7588
SHA256

c92bb6c2eeeaab71d2ed244808c95d3792a7d1499a8571106a8353c5045906c2
SHA512

97aaf0a737be314f9be74c18c99ce3f80a133b0e4db6e57d0b45f7fbf44bab284a7a61ee595c9dd8ff8530cd2036df3c0889bf91c97ad87d9332f76b874bc041
SSDEEP

12288:jf1lk1Us3UG6oh+bZvSNvIk44Mf2Te9YY0s1hT9YKx0b0oCFoWx78U0nKqovpD4r:jf1QUqv4ZqIkpMosL9ByNYd78lKNkpp

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gbieh.1 = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll\" SpecialFunction"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ = "Banco do Brasil S.A."	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}	regsvr32.exe

Modifies registry class 6 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ = "GbiehObj Class"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

regsvr32.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2488	regsvr32.exe
Token: SeSecurityPrivilege	2488	regsvr32.exe
Token: SeTakeOwnershipPrivilege	2488	regsvr32.exe
Token: SeLoadDriverPrivilege	2488	regsvr32.exe
Token: SeSystemProfilePrivilege	2488	regsvr32.exe
Token: SeSystemtimePrivilege	2488	regsvr32.exe
Token: SeProfSingleProcessPrivilege	2488	regsvr32.exe
Token: SeIncBasePriorityPrivilege	2488	regsvr32.exe
Token: SeCreatePagefilePrivilege	2488	regsvr32.exe
Token: SeShutdownPrivilege	2488	regsvr32.exe
Token: SeDebugPrivilege	2488	regsvr32.exe
Token: SeSystemEnvironmentPrivilege	2488	regsvr32.exe
Token: SeRemoteShutdownPrivilege	2488	regsvr32.exe
Token: SeUndockPrivilege	2488	regsvr32.exe
Token: SeManageVolumePrivilege	2488	regsvr32.exe
Token: 33	2488	regsvr32.exe
Token: 34	2488	regsvr32.exe
Token: 35	2488	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe
PID 2492 wrote to memory of 2488	2492	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
2⤵
- Adds policy Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2488

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads