Analysis Overview
SHA256
122b0c5761c76830ea1cc58e97ecdb1e91c23a428a6de3b827b1edc98e4b1da6
Threat Level: Shows suspicious behavior
The file 022bcc1c38771540622cb928cd602e38_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Installs/modifies Browser Helper Object
Modifies WinLogon
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win7-20240220-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6} | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\ | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Impersonate = "0" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Startup = "NotifyStartup" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Shutdown = "NotifyShutdown" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Asynchronous = "0" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\expUSA\Dllname = "expUSA.dll" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\expUSA.dll | C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\InprocServer32 | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\InprocServer32\ = "C:\\Windows\\SysWow64\\expUSA.dll" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98e417d0-c27c-4f9d-8bc2-44f96bb6a0f6} | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Windows\system32\expUSA.dll",DNSetup
Network
Files
\Windows\SysWOW64\expUSA.dll
| MD5 | efed4bea1a76f06db94b6e468bea8cbc |
| SHA1 | 4d1f2988d4e172ef4a9e24cc62cbc7b3f4e64963 |
| SHA256 | b4a4170f46e2544ac2a8d56112cf36d8996a3bc45c7e82ff716d092fe3c2b03a |
| SHA512 | 0f3a3c34f5484673144bc79881914a1dfb01133e552454513768403d6cd1151fcd2830f15bb12e1f57fe1b772f1c01e4f4cd497a345774cfbe2b43ffc4ca1de2 |
memory/2868-8-0x0000000010000000-0x000000001001A000-memory.dmp
memory/2868-9-0x0000000010011000-0x0000000010012000-memory.dmp
memory/2868-7-0x0000000010000000-0x000000001001A000-memory.dmp
memory/2868-6-0x0000000010000000-0x000000001001A000-memory.dmp
memory/2868-10-0x0000000010000000-0x000000001001A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 12:43
Reported
2024-06-22 12:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8841f643-b5cd-4ecb-a57f-40df868c123f} | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8841f643-b5cd-4ecb-a57f-40df868c123f}\ | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Dllname = "edgdef.dll" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Impersonate = "0" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Startup = "NotifyStartup" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Shutdown = "NotifyShutdown" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\edgdef\Asynchronous = "0" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\edgdef.dll | C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f} | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f}\InprocServer32 | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f}\InprocServer32\ = "C:\\Windows\\SysWow64\\edgdef.dll" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8841f643-b5cd-4ecb-a57f-40df868c123f}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4316 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4316 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4316 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\022bcc1c38771540622cb928cd602e38_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Windows\system32\edgdef.dll",DNSetup
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3896,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\edgdef.dll
| MD5 | efed4bea1a76f06db94b6e468bea8cbc |
| SHA1 | 4d1f2988d4e172ef4a9e24cc62cbc7b3f4e64963 |
| SHA256 | b4a4170f46e2544ac2a8d56112cf36d8996a3bc45c7e82ff716d092fe3c2b03a |
| SHA512 | 0f3a3c34f5484673144bc79881914a1dfb01133e552454513768403d6cd1151fcd2830f15bb12e1f57fe1b772f1c01e4f4cd497a345774cfbe2b43ffc4ca1de2 |
memory/1296-3-0x0000000010000000-0x000000001001A000-memory.dmp
memory/1296-4-0x0000000010000000-0x000000001001A000-memory.dmp