Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 07:57
Behavioral task
behavioral1
Sample
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe
-
Size
18KB
-
MD5
04313e8642119d3b34a3d8ac56908465
-
SHA1
6ec322d2d21a961d518dbc8afe0fe10f6ad2b3cd
-
SHA256
6e98178ce94732d4177769617c11fa57951047677ddd6ce1680e2b3a178a8c95
-
SHA512
712a4e3b69f16253b0b7314aa27e125d2dc166af3c18efc513e9fb9fb176a7caf707a5b7117137df72d143958770724dcd7a1cd4c351a1af6371816f454f0a5d
-
SSDEEP
384:KRMCYSeqSEyk1hZAUuTbsHFNm5W/1XIJhm124:KRzeqSReUJXMm58
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\iebt.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
iebtmm.exepid process 2268 iebtmm.exe -
Loads dropped DLL 1 IoCs
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exepid process 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/436-0-0x0000000000400000-0x000000000040C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\iebt.dll upx behavioral2/memory/436-5-0x0000000010000000-0x0000000010009000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\iebtmm.exe upx behavioral2/memory/2268-10-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/436-11-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/2268-12-0x0000000000400000-0x0000000000407000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe -
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E} 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Search 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.managesearches.com/index.php?b=1&t=0&q={searchTerms}" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\SearchScopes 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.browseroption.com/redirect.php" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe -
Modifies registry class 6 IoCs
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ddd = "ddd" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iebt.dll" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ThreadingModel = "Apartment" 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exeiebtmm.exepid process 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe 2268 iebtmm.exe 2268 iebtmm.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exedescription pid process target process PID 436 wrote to memory of 2268 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe iebtmm.exe PID 436 wrote to memory of 2268 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe iebtmm.exe PID 436 wrote to memory of 2268 436 04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe iebtmm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\iebtmm.exeC:\Users\Admin\AppData\Local\Temp\iebtmm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD51751401df95a07f46f382ca64e371ce2
SHA1292bf09ba3f550f2570d0852dfc31d70c0d3539b
SHA256e74eb2d590f545290c3e42c9b6369869d180204d0c393af1db01bf3e3f25f634
SHA5129e2ddcfdca8227b02baf34d893876dd393d7bf45dd347cc2a2dac98c43ea91088dca28457101c4a3d76e247beaf324f4bf0f863da611b331fd18b8ecbdcea3a1
-
Filesize
5KB
MD59b0f66fdd9cd358a62c3c9fcc20ec5cc
SHA182a176fa4224c6b68deb641745954ea9db65ede0
SHA256560649782e14d9ddc13be659c6b9d9b812de83dcd8a8272729413e8527533fe9
SHA5129b6d7b5c6e59a8c4acd2c84195ebaa40a7433350acb4152ab0d8c9b8496a9197cf3231a8c1bb7fbb6421c68487394aa318d7d7078ddd5556dc92e784614b9a60