Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 06:28
Behavioral task
behavioral1
Sample
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe
-
Size
97KB
-
MD5
03a1e6da34d0b6d3b0ddc27feb6f0e7d
-
SHA1
7aef20691cfd5cf39e64df85ae937bc701cf2317
-
SHA256
dfae13cb3c08df7aebd29e26068273c57366110218747318a47d007a0d15a49e
-
SHA512
ba71451823e3d45889a92b55b9c3d3464491e6a563c6ce6616c40685f3c97721f40b2ee16d86a0b61a67e3f223e8c79c6318b09c418ebe298dc7e3c48f89ba5c
-
SSDEEP
3072:Q7mx2cZ8UtE2UvMzSKMLTQ7ja8qULZsJge:QKxfo5yo3Q7ja8qe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PostTip.exepid process 1624 PostTip.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3368 regsvr32.exe 4084 regsvr32.exe -
Processes:
resource yara_rule behavioral2/memory/3704-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/3704-10-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/3704-13-0x0000000000400000-0x0000000000448000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PostTip.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" PostTip.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C4BF6897-41A2-454B-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\PostTip\PostTip.exe 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe File created C:\Program Files (x86)\PostTip\PostTip.dll 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe File created C:\Program Files (x86)\PostTip\uninstall.exe 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exepid process 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exePostTip.exepid process 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe 1624 PostTip.exe 1624 PostTip.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exePostTip.exedescription pid process target process PID 3704 wrote to memory of 3368 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe regsvr32.exe PID 3704 wrote to memory of 3368 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe regsvr32.exe PID 3704 wrote to memory of 3368 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe regsvr32.exe PID 3704 wrote to memory of 1624 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe PostTip.exe PID 3704 wrote to memory of 1624 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe PostTip.exe PID 3704 wrote to memory of 1624 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe PostTip.exe PID 1624 wrote to memory of 4084 1624 PostTip.exe regsvr32.exe PID 1624 wrote to memory of 4084 1624 PostTip.exe regsvr32.exe PID 1624 wrote to memory of 4084 1624 PostTip.exe regsvr32.exe PID 3704 wrote to memory of 2748 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe cmd.exe PID 3704 wrote to memory of 2748 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe cmd.exe PID 3704 wrote to memory of 2748 3704 03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03a1e6da34d0b6d3b0ddc27feb6f0e7d_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3368 -
C:\Program Files (x86)\PostTip\PostTip.exe"C:\Program Files (x86)\PostTip\PostTip.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c \DelUS.bat2⤵PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5648ba72e35508a681356077d62665a77
SHA18911df660f599091b298c55bd9a410002373b776
SHA25670d21ad9173466ab16461b678b3d30a7a52eb1b5aafe0437ed322ceb5df7cc1d
SHA5120eef267afd22dd5578b856735944c49f760c116129894e721a2f14393cecd9789798c4e5473441fa4fe0e0b39e6f4dfdcab381e310e8eaf46dd80cb5e94a3fbe
-
Filesize
162KB
MD5dc62c2f61a803bd1292b0b169fa6f8d9
SHA1117ecef652f645ab87a611eab5bc16ae085d6ffb
SHA2567434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af
SHA51255f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1
-
Filesize
38KB
MD5c2b5be376cac31c0b01603105ae4ea89
SHA14fcfa0181ca5478103c6999199957be40f4a937b
SHA2568ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb
SHA512d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72