Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
-
Size
25KB
-
MD5
022bcc1c38771540622cb928cd602e38
-
SHA1
16eede566a0c854840f4a7a6d1ddd9d951131b43
-
SHA256
122b0c5761c76830ea1cc58e97ecdb1e91c23a428a6de3b827b1edc98e4b1da6
-
SHA512
a9c3cf41b321ffd5a327d6c9c68f5428ac404965a70fd77b0fe405c70f22886d1d5ad368ae40418e5047ffcd315490bc5f00118783778cca8d586c2d928c283a
-
SSDEEP
384:wuPv8Ci8igpfAPEAGcvglJDkl4zg311pTQH4CtYoKXVhxACnb+/Zjz:5npsycvglJDQLFEY2eXV10Zjz
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1296 RunDll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8841f643-b5cd-4ecb-a57f-40df868c123f} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8841f643-b5cd-4ecb-a57f-40df868c123f}\ RunDll32.exe -
Modifies WinLogon 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Dllname = "edgdef.dll" RunDll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Impersonate = "0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Startup = "NotifyStartup" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Shutdown = "NotifyShutdown" RunDll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef RunDll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Asynchronous = "0" RunDll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\edgdef.dll 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f} RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f}\InprocServer32 RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f}\InprocServer32\ = "C:\\Windows\\SysWow64\\edgdef.dll" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f}\InprocServer32\ThreadingModel = "Free" RunDll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1296 RunDll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4316 wrote to memory of 1296 4316 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 89 PID 4316 wrote to memory of 1296 4316 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 89 PID 4316 wrote to memory of 1296 4316 022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe "C:\Windows\system32\edgdef.dll",DNSetup2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3896,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:81⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5efed4bea1a76f06db94b6e468bea8cbc
SHA14d1f2988d4e172ef4a9e24cc62cbc7b3f4e64963
SHA256b4a4170f46e2544ac2a8d56112cf36d8996a3bc45c7e82ff716d092fe3c2b03a
SHA5120f3a3c34f5484673144bc79881914a1dfb01133e552454513768403d6cd1151fcd2830f15bb12e1f57fe1b772f1c01e4f4cd497a345774cfbe2b43ffc4ca1de2