Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 12:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
020c4181016f94950e4678baee8560a6_JaffaCakes118.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
020c4181016f94950e4678baee8560a6_JaffaCakes118.dll
-
Size
586KB
-
MD5
020c4181016f94950e4678baee8560a6
-
SHA1
4999f12561851da1de2192947c7b8a93c3d56f7b
-
SHA256
43479b2ed9d84beb9e6a67ddf0dd9b6a37935867eace2776744a23e2e741b9f4
-
SHA512
b07fe26a5ba96fa5ede5040daf068d4ee0307da25cc4b6612c5d8444ae3eda0bacd985c51f822aaef06e33c156bf3538fd186d87f1ab85f644bd00c31be77dcf
-
SSDEEP
12288:dURGhWizvtlv48jNlAFQDXJhIu1+BLp/lFWNiRy1:dUOWizvtlgINqyIuG93W51
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8D5593A-E84E-6905-055E-1426334C16E7}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8D5593A-E84E-6905-055E-1426334C16E7} regsvr32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{916D7FD8-F95B-F029-9C53-66426464C5E0} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars regsvr32.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D5593A-E84E-6905-055E-1426334C16E7}\ = "searchersmart search enhancer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D5593A-E84E-6905-055E-1426334C16E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D5593A-E84E-6905-055E-1426334C16E7}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D5593A-E84E-6905-055E-1426334C16E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\ = "Search panel" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\020c4181016f94950e4678baee8560a6_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8D5593A-E84E-6905-055E-1426334C16E7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\020c4181016f94950e4678baee8560a6_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\Implemented Categories\{00021493-0000-0000-C000-000000000046} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{916D7FD8-F95B-F029-9C53-66426464C5E0}\Programmable regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3176 wrote to memory of 1428 3176 regsvr32.exe 81 PID 3176 wrote to memory of 1428 3176 regsvr32.exe 81 PID 3176 wrote to memory of 1428 3176 regsvr32.exe 81
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\020c4181016f94950e4678baee8560a6_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\020c4181016f94950e4678baee8560a6_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1428
-