Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll
-
Size
162KB
-
MD5
03ae7ed86d453a6b6fb5362d396c0908
-
SHA1
3878fb142b8e392052e7c993683eb1164fc2f0fe
-
SHA256
f2cdb57d828617a8bdf5d1f4a83e91d840084d9e5754f26aec183478cb3f1d70
-
SHA512
85555782acc26e4bea677cd129330a75e09931fa6ecf8a4ca74115923bda74ab9b96d7231a3e14dd889f29f4b5383d7de889e007a54395b00c604ab3f31137ed
-
SSDEEP
3072:onAloVPKGHUoshU4IqO6NOXQEpvQTes8eHxj0ggqicELJIyMv576y:ongoVPKKo5I8OXQEpzmxjqbLJadD
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{ee4c2781-ba6c-f1f8-04a9-d0d80445913a} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll\" DllStub" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9}\NoExplorer = "\"\"" regsvr32.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9}\ = "agadoo browser enhancer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4bdbc0f-8644-b1aa-6968-c175de33b2a9}\InProcServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1004 wrote to memory of 3752 1004 regsvr32.exe regsvr32.exe PID 1004 wrote to memory of 3752 1004 regsvr32.exe regsvr32.exe PID 1004 wrote to memory of 3752 1004 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\03ae7ed86d453a6b6fb5362d396c0908_JaffaCakes118.dll2⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3752