Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
-
Size
25KB
-
MD5
022bcc1c38771540622cb928cd602e38
-
SHA1
16eede566a0c854840f4a7a6d1ddd9d951131b43
-
SHA256
122b0c5761c76830ea1cc58e97ecdb1e91c23a428a6de3b827b1edc98e4b1da6
-
SHA512
a9c3cf41b321ffd5a327d6c9c68f5428ac404965a70fd77b0fe405c70f22886d1d5ad368ae40418e5047ffcd315490bc5f00118783778cca8d586c2d928c283a
-
SSDEEP
384:wuPv8Ci8igpfAPEAGcvglJDkl4zg311pTQH4CtYoKXVhxACnb+/Zjz:5npsycvglJDQLFEY2eXV10Zjz
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2868 RunDll32.exe 2868 RunDll32.exe 2868 RunDll32.exe 2868 RunDll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\ RunDll32.exe -
Modifies WinLogon 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Impersonate = "0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Startup = "NotifyStartup" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Shutdown = "NotifyShutdown" RunDll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA RunDll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Asynchronous = "0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Dllname = "expUSA.dll" RunDll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\expUSA.dll 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\InprocServer32 RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\InprocServer32\ = "C:\\Windows\\SysWow64\\expUSA.dll" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\InprocServer32\ThreadingModel = "Free" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6} RunDll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2868 RunDll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28 PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28 PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28 PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28 PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28 PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28 PID 2088 wrote to memory of 2868 2088 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe "C:\Windows\system32\expUSA.dll",DNSetup2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5efed4bea1a76f06db94b6e468bea8cbc
SHA14d1f2988d4e172ef4a9e24cc62cbc7b3f4e64963
SHA256b4a4170f46e2544ac2a8d56112cf36d8996a3bc45c7e82ff716d092fe3c2b03a
SHA5120f3a3c34f5484673144bc79881914a1dfb01133e552454513768403d6cd1151fcd2830f15bb12e1f57fe1b772f1c01e4f4cd497a345774cfbe2b43ffc4ca1de2