Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 07:34
Static task
static1
Behavioral task
behavioral1
Sample
0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe
-
Size
244KB
-
MD5
0411fbf6288de3e978aefd69af73d00e
-
SHA1
810344528cdf8b82cb9f9694ac607690c36961f8
-
SHA256
c3b38963d437f369539cd22a21f83105f2febb99dc6feb30434f2f0bbb2f5d42
-
SHA512
35ca2b2e6d7fa3de002d831d2de2fc64a4bb87181610f6760c83105e2f5edbd68a4004f864784fe1ca8ba4f4d0ce2034dbcd541fc8d011ab26a3724dd20ee772
-
SSDEEP
3072:exBcTBPt+MxJwVEi/8HAuPX6HGJfKV2DVLoF4x7H9PoST:MBEBl+ywVEi/8HAuiHCftDVLoF4B9hT
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2208 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\ = "Password Edit Ctrl" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660} regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\CLSID\ = "{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\ = "PwdEditCtrl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\ = "PwdEditCtrl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CLSID\ = "{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}" regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.execmd.exedescription pid process target process PID 1460 wrote to memory of 352 1460 0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe cmd.exe PID 1460 wrote to memory of 352 1460 0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe cmd.exe PID 1460 wrote to memory of 352 1460 0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe cmd.exe PID 1460 wrote to memory of 352 1460 0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe cmd.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe PID 352 wrote to memory of 2208 352 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /c C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
858B
MD5d727e34e3f5eb5ee1ce17fe4c66bf617
SHA1ea796e8b305510775d244f30758e125a01569626
SHA256d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d
SHA512ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c
-
Filesize
62B
MD5f33f30c3cddbb32ce1641f7aa325a170
SHA1dcaa649892d9acf11658bb7b85ae63b76d36a4a8
SHA256efc90ad2a6161fb21977815aeb81095e82572a40a2b3ab69cd1abad04c6bc23d
SHA512d07d64eaf8cee948de2099fc791f79a5b6a58529c760bd3f3105d2689708930026a54b3b27c0e55bbf4b3356ff9c8bd915704e80af7735a865bcf4a9abcadf79
-
Filesize
7.2MB
MD55ae46845cf644cf46d738ee441adc7ce
SHA10128e5e263f351129c8ebbbeddb6d9b5ef122724
SHA256483bb4fe1f45acd0013e863a70e58724dbceb1738a214ce3db15e7f9dbabf80e
SHA512d7c8a8b73767432a1b81b70b700646a6d39a3e25632cec794fba673be9168d968f64042dadd5f80bf566b4b420fc28a85ce6beec57c716b0c51e321f01a2bd4a
-
Filesize
6.9MB
MD524cf25203580aaed1edf6627e2de418d
SHA181ca5a48ad17f4738d4629c104b6e50933aaf7ad
SHA2565a19568ac061c91f64a7747d39360bfd48d1cbe280626442911a953091277171
SHA512fbe03be1d5a269cf28555823dbc1abb330e747af8034ceb096fc49e20803e9bdea9f8fe3e8c3811981f977381b5f7cdd295644e9dc68b143c1623897dd412e1b