Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 19:13

General

  • Target

    4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    4b0a169d80d78549b44a0f0ea4fb0191

  • SHA1

    39bfa760351066f333d4fc3053524387c5730050

  • SHA256

    02aa46cd62cd1e27536ae6ebf261492e23a2c8bb83dc0d2473c681c97eec2944

  • SHA512

    84f00331dd0c6dfb5233262a216f314108c85a2c00c19648248e69f45600d1832d954ed6e6d6b303103a57e589b3da7c7d27ed90f2ec07a2ace4902b319efafc

  • SSDEEP

    24576:7XzJMraziZ9yieOodKLZZSuZDlJYJeNcKO7ckyvFuBSXTAZ3wua8ZXRl5xysqE7/:Tz+GEmQLXBJYJeTO7clAZLZzbysf7QKd

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\4b0a169d80d78549b44a0f0ea4fb0191_JaffaCakes118.dll
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Identifies Wine through registry keys
      • Installs/modifies Browser Helper Object
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:3988

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3988-0-0x0000000000400000-0x00000000006BB000-memory.dmp

          Filesize

          2.7MB

        • memory/3988-1-0x00000000029E0000-0x0000000002A7D000-memory.dmp

          Filesize

          628KB

        • memory/3988-2-0x00000000778E4000-0x00000000778E6000-memory.dmp

          Filesize

          8KB

        • memory/3988-3-0x0000000000401000-0x0000000000479000-memory.dmp

          Filesize

          480KB

        • memory/3988-4-0x0000000000400000-0x00000000006BB000-memory.dmp

          Filesize

          2.7MB

        • memory/3988-5-0x0000000000400000-0x00000000006BB000-memory.dmp

          Filesize

          2.7MB

        • memory/3988-6-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

          Filesize

          4KB