Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 13:17
Behavioral task
behavioral1
Sample
0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe
-
Size
202KB
-
MD5
0253556cd907c56e06aad3d79f115d5c
-
SHA1
4a0ca9d04e1699fff3b5256c89c731a5e9f0a744
-
SHA256
4dc06fdd711f03eb0a3eaf7fd08f9153629674e7ddb4a48410087bb54c775c65
-
SHA512
85f248d8daab55aaf60d354eae2223cb42939696bd40995d8662f7cedf5f45273e0df06fc6d65cb9213e26655d301387dbdeddcd8ef4e9fb9c91a2f0bad0192a
-
SSDEEP
6144:RI/OY3tLyGilOWguqNSK+9rd7oUT7TF6RfQ9:RI2YdRVC77T7TF
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe -
resource yara_rule behavioral1/memory/2180-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2180-16-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aqudwrc.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\aqudwrc.dll,opuyyg" 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{770DB178-5B8E-45D6-A08A-01D3B849059C} 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\yqyzlvl.dll 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe File created C:\Windows\SysWOW64\aqudwrc.dll 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C} 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32\ = "C:\\Windows\\SysWow64\\yqyzlvl.dll" 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32\ThreadingModel = "Apartment" 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2368 2180 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\aqudwrc.dll,opuyyg2⤵
- Loads dropped DLL
PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD52d472c8665f37b45b78772684418fe21
SHA170119803f17592c2fb3188ceb5c32e9d19ce0737
SHA256a10734205236fa06b26951e511074fa7d16de8cb7759d3fb853930301a33856e
SHA5127c30a74b717da8fddf129dd30005ee4535b6dcebb16db9fa94d05b362e8c07717ce3324cdb13fde08802f42bad09d2eadfb4e7b754583693fb86b61c91b9c94b
-
Filesize
71KB
MD5cd276b7f841eedfd1a488807d47d5d74
SHA1359cbd9d8ea50ab1378a6d9df624218877146776
SHA256f5ed6dde98ede418d40a3906461b9b4f052f0e9cec37cd2ef2717af79247dfb7
SHA5128f36466ce83d02c0f028df5cce54298eee2ce9e51167297966bf861a464f7eb9c1e148363b6f5bdda2de6a736c4654ab53a8e1a5b4bd80b6cf6cc94b3212c257