Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
4b0a169d80d78549b44a0f0ea4fb0191
-
SHA1
39bfa760351066f333d4fc3053524387c5730050
-
SHA256
02aa46cd62cd1e27536ae6ebf261492e23a2c8bb83dc0d2473c681c97eec2944
-
SHA512
84f00331dd0c6dfb5233262a216f314108c85a2c00c19648248e69f45600d1832d954ed6e6d6b303103a57e589b3da7c7d27ed90f2ec07a2ace4902b319efafc
-
SSDEEP
24576:7XzJMraziZ9yieOodKLZZSuZDlJYJeNcKO7ckyvFuBSXTAZ3wua8ZXRl5xysqE7/:Tz+GEmQLXBJYJeTO7clAZLZzbysf7QKd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{361B2978-88FF-11D2-8D96-E7ACAC95951F} regsvr32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3988 regsvr32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3988 regsvr32.exe 3988 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3724 wrote to memory of 3988 3724 regsvr32.exe 83 PID 3724 wrote to memory of 3988 3724 regsvr32.exe 83 PID 3724 wrote to memory of 3988 3724 regsvr32.exe 83
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Installs/modifies Browser Helper Object
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3988
-