Analysis
-
max time kernel
137s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
03fbbba08443d719c48a16380a4c7bca_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
03fbbba08443d719c48a16380a4c7bca_JaffaCakes118.dll
-
Size
113KB
-
MD5
03fbbba08443d719c48a16380a4c7bca
-
SHA1
2ec24b53585b27f9a778845f4e530e6b0421a575
-
SHA256
40db3319b8eeec04973e9f67ce1eb5f76160619c9c6a54e3a8208a18be7529d2
-
SHA512
5e3042db83759db56f1d99cbdf52678f06297f678034a1806122f5012bf5ea38a186944dc1fed4e73ef9922dbe169849d49d70f0ef9fc000088e7592cd76cd86
-
SSDEEP
3072:sewc6DlnLPTOBZLJW7m3TfY1qCB2Y2FmH2:sewc6DBLbOJW7YfYstY2Fm
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2252 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b6ee0e2-f769-48ac-9e9b-3f6cdc6d91d7} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b6ee0e2-f769-48ac-9e9b-3f6cdc6d91d7}\ = "{7d19d6cd-c6f3-b9e9-ca84-967f2e0ee6b1}" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\bhnpml.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\bhnpml.dll rundll32.exe -
Modifies registry class 23 IoCs
Processes:
rundll32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\TypeLib rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1b6ee0e2-f769-48ac-9e9b-3f6cdc6d91d7}\InprocServer32\ThreadingModel = "free" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1b6ee0e2-f769-48ac-9e9b-3f6cdc6d91d7}\InprocServer32\ = "C:\\Windows\\SysWow64\\bhnpml.dll" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1b6ee0e2-f769-48ac-9e9b-3f6cdc6d91d7}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1b6ee0e2-f769-48ac-9e9b-3f6cdc6d91d7} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Version rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Programmable rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ProgID rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\VersionIndependentProgID rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4072 wrote to memory of 4124 4072 rundll32.exe rundll32.exe PID 4072 wrote to memory of 4124 4072 rundll32.exe rundll32.exe PID 4072 wrote to memory of 4124 4072 rundll32.exe rundll32.exe PID 4124 wrote to memory of 2252 4124 rundll32.exe rundll32.exe PID 4124 wrote to memory of 2252 4124 rundll32.exe rundll32.exe PID 4124 wrote to memory of 2252 4124 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03fbbba08443d719c48a16380a4c7bca_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03fbbba08443d719c48a16380a4c7bca_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\bhnpml.dll",i3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD503fbbba08443d719c48a16380a4c7bca
SHA12ec24b53585b27f9a778845f4e530e6b0421a575
SHA25640db3319b8eeec04973e9f67ce1eb5f76160619c9c6a54e3a8208a18be7529d2
SHA5125e3042db83759db56f1d99cbdf52678f06297f678034a1806122f5012bf5ea38a186944dc1fed4e73ef9922dbe169849d49d70f0ef9fc000088e7592cd76cd86