Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 11:36
Static task
static1
Behavioral task
behavioral1
Sample
01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe
-
Size
46KB
-
MD5
01f221f9f2a844f66fc83bcf6cdac1e1
-
SHA1
44256be3a79ccf529c4720f370fb8192e388a35c
-
SHA256
4af04ba1d2405491ea667993e3b04f9a3032960da916438769ae0e4df343fbb8
-
SHA512
48095e70cd91bf8d58e1e0d326bf6e1d612fdc3368476955675dd26916d010d2b652b138c4b6b41b5cad7fff083c07fc88b3e50e56361612ca20065967b24d24
-
SSDEEP
768:s6XV9SMrYVOeUbBmw1uQfpPdyupRzj/oM+qLkyZhBL9DfYHOk7nvi/w9qb2eI:b7/roWMQfVdyupZ/ogtxk7qRbA
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2160 cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7837CA49-D4F5-4335-BA75-0E008BF95012} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7837CA49-D4F5-4335-BA75-0E008BF95012}\ = "Google Audio Helper" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sys.dat 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe File created C:\Windows\SysWOW64\apphelph3.dll 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\apphelph3.dll 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\InProcServer32 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\InProcServer32\ = "%SystemRoot%\\SysWow64\\apphelph3.dll" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\InProcServer32\ThreadingModel = "Apartment" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7837CA49-D4F5-4335-BA75-0E008BF95012}\ = "Google Audio Helper" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2160 2336 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 28 PID 2336 wrote to memory of 2160 2336 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 28 PID 2336 wrote to memory of 2160 2336 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 28 PID 2336 wrote to memory of 2160 2336 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C apphelp.bat2⤵
- Deletes itself
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140B
MD5333b1a375896eba2946c7fbb1ed936d0
SHA192ea27e3ccbdbf100cb3f71c20938fa3a1acce4b
SHA256666c60d137bf471d3f574ca25054ef08ac0401d0661bc893f587a9375a9c6123
SHA512b7774a777774356d23bce0399f39e43c5b59bb53d26ae4c922286e31ca18ff8e0a22062b83ae668cd8d92df1447f14d8bb7cb43c3a3793693eb9c913f3a3861c