Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 08:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.dll
Resource
win7-20240611-en
3 signatures
150 seconds
General
-
Target
04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.dll
-
Size
565KB
-
MD5
04370eb0f8bcc4bc5da430cfb2ce2b5d
-
SHA1
85453b1af7132952a4b89b1c57f9e78d1789b754
-
SHA256
e1df7472a2ed1d08a5823502223f99b3f2f837739952a96cfbc859529e6831a9
-
SHA512
8d6d368f27b6b938c77e833e7a92863629dcea96d9d4ff2b1a2d64a507f64cdda9b6a8ea24921eea10e5feb0d8a4e26e770e408e8766db4e0bb15c9f1073e5f4
-
SSDEEP
12288:ZyA1ZdqVfv/6HftOIA3+00wstpSdCi3TLdLOGvZZ6NpVBw4:J1fqZCHwIr00taCiHpTZZ6p
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CC01FC6C-3891-93B7-658F-348886A878BA} regsvr32.exe -
Modifies registry class 11 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.xx\ = "xx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.xx\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.xx regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.xx\Clsid\ = "{CC01FC6C-3891-93B7-658F-348886A878BA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA}\ProgID\ = "04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.xx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA}\ = "xx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC01FC6C-3891-93B7-658F-348886A878BA}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3588 wrote to memory of 4048 3588 regsvr32.exe regsvr32.exe PID 3588 wrote to memory of 4048 3588 regsvr32.exe regsvr32.exe PID 3588 wrote to memory of 4048 3588 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\04370eb0f8bcc4bc5da430cfb2ce2b5d_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4500 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:1264