Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 07:57

General

  • Target

    04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe

  • Size

    18KB

  • MD5

    04313e8642119d3b34a3d8ac56908465

  • SHA1

    6ec322d2d21a961d518dbc8afe0fe10f6ad2b3cd

  • SHA256

    6e98178ce94732d4177769617c11fa57951047677ddd6ce1680e2b3a178a8c95

  • SHA512

    712a4e3b69f16253b0b7314aa27e125d2dc166af3c18efc513e9fb9fb176a7caf707a5b7117137df72d143958770724dcd7a1cd4c351a1af6371816f454f0a5d

  • SSDEEP

    384:KRMCYSeqSEyk1hZAUuTbsHFNm5W/1XIJhm124:KRzeqSReUJXMm58

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
      C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iebt.dll

    Filesize

    7KB

    MD5

    1751401df95a07f46f382ca64e371ce2

    SHA1

    292bf09ba3f550f2570d0852dfc31d70c0d3539b

    SHA256

    e74eb2d590f545290c3e42c9b6369869d180204d0c393af1db01bf3e3f25f634

    SHA512

    9e2ddcfdca8227b02baf34d893876dd393d7bf45dd347cc2a2dac98c43ea91088dca28457101c4a3d76e247beaf324f4bf0f863da611b331fd18b8ecbdcea3a1

  • C:\Users\Admin\AppData\Local\Temp\iebtmm.exe

    Filesize

    5KB

    MD5

    9b0f66fdd9cd358a62c3c9fcc20ec5cc

    SHA1

    82a176fa4224c6b68deb641745954ea9db65ede0

    SHA256

    560649782e14d9ddc13be659c6b9d9b812de83dcd8a8272729413e8527533fe9

    SHA512

    9b6d7b5c6e59a8c4acd2c84195ebaa40a7433350acb4152ab0d8c9b8496a9197cf3231a8c1bb7fbb6421c68487394aa318d7d7078ddd5556dc92e784614b9a60

  • memory/436-0-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/436-5-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/436-11-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/436-15-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/2268-10-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/2268-12-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB