Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 11:36
Static task
static1
Behavioral task
behavioral1
Sample
01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe
-
Size
46KB
-
MD5
01f221f9f2a844f66fc83bcf6cdac1e1
-
SHA1
44256be3a79ccf529c4720f370fb8192e388a35c
-
SHA256
4af04ba1d2405491ea667993e3b04f9a3032960da916438769ae0e4df343fbb8
-
SHA512
48095e70cd91bf8d58e1e0d326bf6e1d612fdc3368476955675dd26916d010d2b652b138c4b6b41b5cad7fff083c07fc88b3e50e56361612ca20065967b24d24
-
SSDEEP
768:s6XV9SMrYVOeUbBmw1uQfpPdyupRzj/oM+qLkyZhBL9DfYHOk7nvi/w9qb2eI:b7/roWMQfVdyupZ/ogtxk7qRbA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9105EA91-5EED-434C-B490-AEBCF54E286B} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9105EA91-5EED-434C-B490-AEBCF54E286B}\ = "Google Audio Helper" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sys.dat 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe File created C:\Windows\SysWOW64\apphelph3.dll 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\apphelph3.dll 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B} 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\ = "Google Audio Helper" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\InProcServer32 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\InProcServer32\ = "%SystemRoot%\\SysWow64\\apphelph3.dll" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9105EA91-5EED-434C-B490-AEBCF54E286B}\InProcServer32\ThreadingModel = "Apartment" 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5108 wrote to memory of 3608 5108 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 81 PID 5108 wrote to memory of 3608 5108 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 81 PID 5108 wrote to memory of 3608 5108 01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01f221f9f2a844f66fc83bcf6cdac1e1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C apphelp.bat2⤵PID:3608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140B
MD5333b1a375896eba2946c7fbb1ed936d0
SHA192ea27e3ccbdbf100cb3f71c20938fa3a1acce4b
SHA256666c60d137bf471d3f574ca25054ef08ac0401d0661bc893f587a9375a9c6123
SHA512b7774a777774356d23bce0399f39e43c5b59bb53d26ae4c922286e31ca18ff8e0a22062b83ae668cd8d92df1447f14d8bb7cb43c3a3793693eb9c913f3a3861c