Analysis
-
max time kernel
138s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 06:46
Behavioral task
behavioral1
Sample
03c246b611fa401847ea746723589d0e_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
03c246b611fa401847ea746723589d0e_JaffaCakes118.exe
-
Size
108KB
-
MD5
03c246b611fa401847ea746723589d0e
-
SHA1
88e4f8f9e59fd4b3bae6df13d567d6ec7c7738dc
-
SHA256
2571801eb3d89e2fdd6e42aa5e3a0bbc3f3d5aa91eb7d0dcb1273df9295a108e
-
SHA512
37855c097d6ab0ebd8295d9b6c96b9e686c00c76f1a2f9b2dd086f64a34e7955e8b5289eddbf01bec7fc85e3daf31aed5d53646ab37fd90aaa446fa351397173
-
SSDEEP
3072:ecDdK0ts+jzaos+8VS5dbE6DwjYqn9XnBmanNUVY0R+Sh:D5sYzaosnsd/D8Jn9pnNUSC+
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\AuditPolicyGPIntero.dll acprotect -
Loads dropped DLL 2 IoCs
Processes:
03c246b611fa401847ea746723589d0e_JaffaCakes118.exepid process 992 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe 992 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/992-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/992-1-0x0000000000400000-0x0000000000423000-memory.dmp upx C:\Windows\SysWOW64\AuditPolicyGPIntero.dll upx behavioral2/memory/992-7-0x00000000001C0000-0x00000000001FC000-memory.dmp upx behavioral2/memory/992-10-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/992-12-0x00000000001C0000-0x00000000001FC000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
03c246b611fa401847ea746723589d0e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783B7430-EFFA-4611-9E98-293C68401F65} 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe -
Modifies registry class 6 IoCs
Processes:
03c246b611fa401847ea746723589d0e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{783B7430-EFFA-4611-9E98-293C68401F65}\InprocServer32\ThreadingModel = "apartment" 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{783B7430-EFFA-4611-9E98-293C68401F65}\InprocServer32 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{783B7430-EFFA-4611-9E98-293C68401F65} 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{783B7430-EFFA-4611-9E98-293C68401F65}\InprocServer32\ = "C:\\Windows\\SysWow64\\AuditPolicyGPIntero.dll" 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
03c246b611fa401847ea746723589d0e_JaffaCakes118.exepid process 992 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe 992 03c246b611fa401847ea746723589d0e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c246b611fa401847ea746723589d0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c246b611fa401847ea746723589d0e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5f4b7a862f1ba49915c6899ff31e60274
SHA17f5be7515f40eebfd5e211c341b121e14ecc85a0
SHA256d6c6d1b2a88e341ba1640dc82b4fd78455f948565b81139d0cb32a6feacf3b59
SHA512a8b6077ddaa704454365c2c06fbb5550b9f9e7965f2ba31040ede406ad9b7ea16c3e759630a9e61bcee4f6bcbd95355a51d9fb572d1da6aa3907e8c7c7e04a72