Analysis
-
max time kernel
14s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 14:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28740f7bf86e2e617604aaaa56446cb1_JaffaCakes118.dll
Resource
win7-20240704-en
windows7-x64
4 signatures
150 seconds
General
-
Target
28740f7bf86e2e617604aaaa56446cb1_JaffaCakes118.dll
-
Size
156KB
-
MD5
28740f7bf86e2e617604aaaa56446cb1
-
SHA1
ea6d206785e91fe980a3bc1728c641f8854e904d
-
SHA256
6e35e1ed230939b3945804b799b2eda635e1caec60f0d338c8debfd0d6ee9941
-
SHA512
2458474e60ca459a276d0bfe53b7a3de6174ca5b42d820864fc68a9c6858e86baadf60365e1009831491ba4ba2edc0cf63ef18a5a7acc9c6bc6ee9a298a0541c
-
SSDEEP
3072:CeB89TOuWfZk8WptM9edz9ZloCOmojbKOpbP3z0:x8oGNoedz7O/T
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system.ini regsvr32.exe -
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28740f7bf86e2e617604aaaa56446cb1_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\ = "Pbtoo2s 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28740f7bf86e2e617604aaaa56446cb1_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 624 wrote to memory of 924 624 regsvr32.exe 30 PID 624 wrote to memory of 924 624 regsvr32.exe 30 PID 624 wrote to memory of 924 624 regsvr32.exe 30 PID 624 wrote to memory of 924 624 regsvr32.exe 30 PID 624 wrote to memory of 924 624 regsvr32.exe 30 PID 624 wrote to memory of 924 624 regsvr32.exe 30 PID 624 wrote to memory of 924 624 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\28740f7bf86e2e617604aaaa56446cb1_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\28740f7bf86e2e617604aaaa56446cb1_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
PID:924
-