Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 00:50

General

  • Target

    90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    90039c975ddc2e891b50aae18bed6a65

  • SHA1

    095b1924543b08db76857bd95f06ce919eaf2236

  • SHA256

    15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd

  • SHA512

    2d3b1bdffc050f657527eb39eade9093c2829a7d4189f89dada98a68f149bfc173ca13ee9686632a8905327da2cccf7b34d51c586f3637817c7e0a709d94c8f9

  • SSDEEP

    24576:L+pUFy+woYqqMK5mmczq36wUCQdjqfo13knOblF32bwHv/QMnSzLCvMqWj+QB:L+5oYtBmZzsBUCQZyo17bltbbSfw8+u

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
      "C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4644
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
          4⤵
          • Loads dropped DLL
          • Registers COM server for autorun
          • Installs/modifies Browser Helper Object
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:3336
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3624

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Browser Extensions

    1
    T1176

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Discovery

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll
      Filesize

      363KB

      MD5

      9afeb7fa65aa31c6b871237d14a8fb94

      SHA1

      58f99ae9ea22f56f28b6c5fa798bda3109f297f6

      SHA256

      4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a

      SHA512

      311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

    • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb
      Filesize

      3KB

      MD5

      9f260bfcd1ef83627ceb2792ee3324f5

      SHA1

      078164529ae639e5ff9cf0e4003a82259c2aace8

      SHA256

      8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526

      SHA512

      3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

    • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll
      Filesize

      398KB

      MD5

      410bb7e2c88f92de31b83a173e173e2d

      SHA1

      ff40233a038f80b7b1513431d6a9632e8f0e39f0

      SHA256

      afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3

      SHA512

      d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

    • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat
      Filesize

      3KB

      MD5

      99df1dab85dd4b568804cf7123ecef54

      SHA1

      199ab77160bb3030b6ff57517b5cf318b1831cc9

      SHA256

      9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890

      SHA512

      31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

    • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
      Filesize

      356KB

      MD5

      6223a19e77e3b9b4f633e8863ee1cf40

      SHA1

      ee5ec9cffb59790d553f5a3394ad5808e1e37446

      SHA256

      d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46

      SHA512

      66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3