Analysis
-
max time kernel
112s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 17:47
Behavioral task
behavioral1
Sample
ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
Resource
win10v2004-20240412-en
General
-
Target
ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll
-
Size
745KB
-
MD5
ffd2bc670257842411c84c4a6123e994
-
SHA1
5b1c425594ba026865a851b715c7f2ee737a7588
-
SHA256
c92bb6c2eeeaab71d2ed244808c95d3792a7d1499a8571106a8353c5045906c2
-
SHA512
97aaf0a737be314f9be74c18c99ce3f80a133b0e4db6e57d0b45f7fbf44bab284a7a61ee595c9dd8ff8530cd2036df3c0889bf91c97ad87d9332f76b874bc041
-
SSDEEP
12288:jf1lk1Us3UG6oh+bZvSNvIk44Mf2Te9YY0s1hT9YKx0b0oCFoWx78U0nKqovpD4r:jf1QUqv4ZqIkpMosL9ByNYd78lKNkpp
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gbieh.1 = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll\" SpecialFunction" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ = "Banco do Brasil S.A." regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} regsvr32.exe -
Modifies registry class 6 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}\ = "GbiehObj Class" regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
regsvr32.exedescription pid process Token: SeIncreaseQuotaPrivilege 1092 regsvr32.exe Token: SeSecurityPrivilege 1092 regsvr32.exe Token: SeTakeOwnershipPrivilege 1092 regsvr32.exe Token: SeLoadDriverPrivilege 1092 regsvr32.exe Token: SeSystemProfilePrivilege 1092 regsvr32.exe Token: SeSystemtimePrivilege 1092 regsvr32.exe Token: SeProfSingleProcessPrivilege 1092 regsvr32.exe Token: SeIncBasePriorityPrivilege 1092 regsvr32.exe Token: SeCreatePagefilePrivilege 1092 regsvr32.exe Token: SeShutdownPrivilege 1092 regsvr32.exe Token: SeDebugPrivilege 1092 regsvr32.exe Token: SeSystemEnvironmentPrivilege 1092 regsvr32.exe Token: SeRemoteShutdownPrivilege 1092 regsvr32.exe Token: SeUndockPrivilege 1092 regsvr32.exe Token: SeManageVolumePrivilege 1092 regsvr32.exe Token: 33 1092 regsvr32.exe Token: 34 1092 regsvr32.exe Token: 35 1092 regsvr32.exe Token: 36 1092 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4388 wrote to memory of 1092 4388 regsvr32.exe regsvr32.exe PID 4388 wrote to memory of 1092 4388 regsvr32.exe regsvr32.exe PID 4388 wrote to memory of 1092 4388 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ffd2bc670257842411c84c4a6123e994_JaffaCakes118.dll2⤵
- Adds policy Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken