Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
292bfe33552e68ffd9ca06eafa6b908d_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
292bfe33552e68ffd9ca06eafa6b908d_JaffaCakes118.dll
Resource
win10v2004-20240704-en
General
-
Target
292bfe33552e68ffd9ca06eafa6b908d_JaffaCakes118.dll
-
Size
112KB
-
MD5
292bfe33552e68ffd9ca06eafa6b908d
-
SHA1
6302c36bb22d2fff09e9c0e5faa51b6df9530e66
-
SHA256
b78a6ca815253d3299741e962f13278578a1654f6ae1e93b45a30cec855077d8
-
SHA512
31d5c485d71af922bf7dc6ff61618cc6f1b6142135bb84c14c64a16b017f6fb3154cfa7ae329b60c7c67ecce133bf44a0380a06a7d3460b74860581100b1d3d9
-
SSDEEP
3072:yLJfhH/kaLvo6UpjAHKnpDMEYrmoQZychpUfPjyI:yhh80pKnRMEWcG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\InstalledUpdates = "{f94b6217-d6f5-4bbd-a483-452db32138d4}" regsvr32.exe -
Loads dropped DLL 2 IoCs
pid Process 3020 regsvr32.exe 3020 regsvr32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Installed\InstalledUpdates.dll regsvr32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f94b6217-d6f5-4bbd-a483-452db32138d4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f94b6217-d6f5-4bbd-a483-452db32138d4}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f94b6217-d6f5-4bbd-a483-452db32138d4}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Installed\\InstalledUpdates.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f94b6217-d6f5-4bbd-a483-452db32138d4}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3020 regsvr32.exe 3020 regsvr32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3020 regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3020 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3020 5032 regsvr32.exe 82 PID 5032 wrote to memory of 3020 5032 regsvr32.exe 82 PID 5032 wrote to memory of 3020 5032 regsvr32.exe 82
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\292bfe33552e68ffd9ca06eafa6b908d_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\292bfe33552e68ffd9ca06eafa6b908d_JaffaCakes118.dll2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5292bfe33552e68ffd9ca06eafa6b908d
SHA16302c36bb22d2fff09e9c0e5faa51b6df9530e66
SHA256b78a6ca815253d3299741e962f13278578a1654f6ae1e93b45a30cec855077d8
SHA51231d5c485d71af922bf7dc6ff61618cc6f1b6142135bb84c14c64a16b017f6fb3154cfa7ae329b60c7c67ecce133bf44a0380a06a7d3460b74860581100b1d3d9