Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 00:57
Behavioral task
behavioral1
Sample
2417eb085a2594417b527277d69821ed_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
2417eb085a2594417b527277d69821ed_JaffaCakes118.exe
-
Size
170KB
-
MD5
2417eb085a2594417b527277d69821ed
-
SHA1
f73bc1270f4e5cbb652de2efa1d589da50068ca3
-
SHA256
54ee7bd35f6ad5466238fd9992f53bc5f49bcebb576a97a9cffa27abcf398201
-
SHA512
e17ccea200bc73fc8b8b1bc9b502d329f6b72305772ac3cdd0bd3557e0e5a28f8551a9bc45ca9aa24aa6bdda964130a11395ec19861705ec5b573b1058379601
-
SSDEEP
3072:bodbh52l7dg4hvhDOAOy8C8pJhVO6UghAsywoMR+2gwRRsgKt1UB3I/cyUZVezk:8Jh5UTvDOy8npZJLywoMjWgKcVDyUZVv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 324B.tmp -
Executes dropped EXE 2 IoCs
pid Process 1108 324B.tmp 50892 5B11.tmp -
Loads dropped DLL 2 IoCs
pid Process 1108 324B.tmp 50944 rundll32.exe -
resource yara_rule behavioral2/memory/1556-0-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral2/files/0x000800000002355a-6.dat upx behavioral2/memory/1108-9-0x0000000010000000-0x000000001002D000-memory.dmp upx behavioral2/memory/1556-13841-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral2/memory/1556-13852-0x0000000000400000-0x0000000000440000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7} 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7}\ 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 324B.tmp -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\com7.qcc 5B11.tmp -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll 324B.tmp File opened for modification C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll 324B.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\menaa1.dll 324B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7} 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} 324B.tmp Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar 324B.tmp Key deleted \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks 324B.tmp -
Modifies registry class 34 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\TypeLib 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Version 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097}\InprocServer32\ThreadingModel = "Apartment" 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B1D3C42-D6FF-1AFA-07FE-5C2599F81CC1}\InprocServer32 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7}\InprocServer32\ThreadingModel = "Apartment" 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Programmable 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B1D3C42-D6FF-1AFA-07FE-5C2599F81CC1} 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7}\InprocServer32 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ProgID 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097}\InprocServer32 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097}\Implemented Categories 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7} 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\VersionIndependentProgID 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097}\ = "JavaScript console" 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B1D3C42-D6FF-1AFA-07FE-5C2599F81CC1}\InprocServer32\ = "C:\\Windows\\menaa1.dll" 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B1D3C42-D6FF-1AFA-07FE-5C2599F81CC1}\InprocServer32\ThreadingModel = "Apartment" 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7}\ = "Class" 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097} 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDA5860F-3E62-4203-EDE7-C0EE64AB04F7}\InprocServer32\ = "C:\\Windows\\menaa1.dll" 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} 324B.tmp Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097}\InprocServer32\ = "C:\\Windows\\menaa1.dll" 324B.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4242F04-6BA1-6FD3-5ACD-7BA1ED4A8097}\Implemented Categories\{00021494-0000-0000-C000-000000000046} 324B.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B1D3C42-D6FF-1AFA-07FE-5C2599F81CC1}\ = "Class" 324B.tmp -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeTakeOwnershipPrivilege 1108 324B.tmp Token: SeIncBasePriorityPrivilege 1108 324B.tmp -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1108 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 82 PID 1556 wrote to memory of 1108 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 82 PID 1556 wrote to memory of 1108 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 82 PID 1108 wrote to memory of 50760 1108 324B.tmp 83 PID 1108 wrote to memory of 50760 1108 324B.tmp 83 PID 1108 wrote to memory of 50760 1108 324B.tmp 83 PID 1556 wrote to memory of 50892 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 85 PID 1556 wrote to memory of 50892 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 85 PID 1556 wrote to memory of 50892 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 85 PID 50892 wrote to memory of 50944 50892 5B11.tmp 86 PID 50892 wrote to memory of 50944 50892 5B11.tmp 86 PID 50892 wrote to memory of 50944 50892 5B11.tmp 86 PID 1556 wrote to memory of 11240 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 90 PID 1556 wrote to memory of 11240 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 90 PID 1556 wrote to memory of 11240 1556 2417eb085a2594417b527277d69821ed_JaffaCakes118.exe 90 PID 50892 wrote to memory of 11784 50892 5B11.tmp 97 PID 50892 wrote to memory of 11784 50892 5B11.tmp 97 PID 50892 wrote to memory of 11784 50892 5B11.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2417eb085a2594417b527277d69821ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2417eb085a2594417b527277d69821ed_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\TEMP\324B.tmpC:\Windows\TEMP\324B.tmp2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\TEMP\324B.tmp > nul3⤵PID:50760
-
-
-
C:\Windows\TEMP\5B11.tmpC:\Windows\TEMP\5B11.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:50892 -
C:\Windows\SysWOW64\rundll32.exerundll32 \\?\C:\Windows\system32\com7.qcc,dhoonwue3⤵
- Loads dropped DLL
PID:50944
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0e576ef6.bat" "C:\Windows\TEMP\5B11.tmp""3⤵PID:11784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0e576300.bat" "C:\Users\Admin\AppData\Local\Temp\2417eb085a2594417b527277d69821ed_JaffaCakes118.exe""2⤵PID:11240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD51e78a79ffa37ddde81acda102e36b39f
SHA1918c55e1dd318ab0039ea07f3f824cecb20c85b7
SHA2563178e2677e07e03c39fe6c1bad769d1ed163cb043e5364a519be7a5349e080a8
SHA512d0d1c6157d64ff910ca4cc5b48992755ffe4ea27c04eec5441097df6998a22e1f578f3a8a990df7b4e20c77c91246472da45e91a01af4123945e47c60773e73c
-
Filesize
129KB
MD5b282a717f45be7d9c1b3efcc05209a43
SHA1802c0210436591c78b52a57961c23adc9bab1747
SHA256e80b4b6e5a871ea3773f482ff06cbdbd20bef5d74e7db80b7afbc37d35b2ca53
SHA512c446eb0a9c61bb39ae537ad8cc1730d29274e8618ebe6c79684fa5d04635c739ee4c545b590154c4aa60864867af2ef6931c403dce1dd9b0671640149e5341be
-
Filesize
84KB
MD5b255e577b30f349d171caf8bc5046766
SHA1f9c680b736a495bb271a5ef45952ea94e765c690
SHA256eb36f59b0bbf219b3c1b8971646a044c78a7ecfe31bbba5b54e30c7194ef4c98
SHA5120602f58118a82b42bb27fc734db2131ba17db286f8889d90852ffac0a10e03ec79ffdfccb615b11b02c22e91b03e30f48ec3c8b1ca38fcb4124e65b4bc6a25ee
-
Filesize
141KB
MD5cf664d25f2af800a188e6d392028d350
SHA1a2c80f30d4114cf1f4aec1fd65214b0dd5ca9bf4
SHA256947d021283f080efa75651d39fcf532ee80773a6182d87f7d2bb44b27ceb4c46
SHA512167f061447b1496ffa7e7fc1fd257c850e62062d57f889143e777d5f3bb3495668494ce71cb6d70e1255009ea72a6ce4f84ca21e1ef48a2c79a985278b912d07
-
Filesize
64KB
MD5f088b680d1147fe2e1a408ac94fb073f
SHA188b01fa09aa0a1b55f818e9a6c461e45736eafaf
SHA256d2f571fc73c3c81d12d7bfdf7193d0699d6148d692c66a3ccfe77e4b400101b9
SHA5127f39dc465ae0db417988fd37be87842b929be42b5a6fdab19c0a6441cccdd0db084344e2c16d5112cd6277a78e331a72c71899361f778b8b6b7ac7965ac3781d