Overview
overview
7Static
static
16fae566b41...18.exe
windows7-x64
76fae566b41...18.exe
windows10-2004-x64
7mcffplg.dll
windows7-x64
3mcffplg.dll
windows10-2004-x64
3saffplg.js
windows7-x64
3saffplg.js
windows10-2004-x64
3mcieplg.dll
windows7-x64
6mcieplg.dll
windows10-2004-x64
3x64/mcieplg.dll
windows7-x64
7x64/mcieplg.dll
windows10-2004-x64
1$TEMP/$_0_...st.exe
windows7-x64
$TEMP/$_0_...st.exe
windows10-2004-x64
$TEMP/$_0_...ui.dll
windows7-x64
1$TEMP/$_0_...ui.dll
windows10-2004-x64
1$TEMP/$_0_...ns.dll
windows7-x64
1$TEMP/$_0_...ns.dll
windows10-2004-x64
1mcsacins.dll
windows7-x64
3mcsacins.dll
windows10-2004-x64
3saInst.exe
windows7-x64
7saInst.exe
windows10-2004-x64
7$TEMP/$_0_...st.exe
windows7-x64
$TEMP/$_0_...st.exe
windows10-2004-x64
mcbrwctl.dll
windows7-x64
3mcbrwctl.dll
windows10-2004-x64
3mcsacore.exe
windows7-x64
3mcsacore.exe
windows10-2004-x64
3mcsacoreps.dll
windows7-x64
3mcsacoreps.dll
windows10-2004-x64
3saupkeep.dll
windows7-x64
3saupkeep.dll
windows10-2004-x64
3uninstall.exe
windows7-x64
3uninstall.exe
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 13:01
Static task
static1
Behavioral task
behavioral1
Sample
6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
mcffplg.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
mcffplg.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
saffplg.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
saffplg.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
mcieplg.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
mcieplg.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
x64/mcieplg.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
x64/mcieplg.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$TEMP/$_0_ /mcinst.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$TEMP/$_0_ /mcinst.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMP/$_0_ /mcplgui.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMP/$_0_ /mcplgui.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/$_0_ /mcsacins.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/$_0_ /mcsacins.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
mcsacins.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral18
Sample
mcsacins.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
saInst.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
saInst.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMP/$_0_ /saInst.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMP/$_0_ /saInst.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
mcbrwctl.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
mcbrwctl.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
mcsacore.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
mcsacore.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
mcsacoreps.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
mcsacoreps.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
saupkeep.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral30
Sample
saupkeep.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
uninstall.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
uninstall.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
x64/mcieplg.dll
-
Size
195KB
-
MD5
86da25bfc5d1094755f31d54aa41e85e
-
SHA1
542900d98fe53e739af61e0680198ca0d28521e3
-
SHA256
06a6d77b686fad1925f29f06f36bd1ead7389b3dbd3bb7707db2d30d47c3af5d
-
SHA512
cd347204470e13720315991b8af400119bb3524e459b055176e2f073af42b8b1eb1bd899e67ea3f528f33abb1fccfbc0d82c15da44a45a405d8a94ca93f4b80a
-
SSDEEP
3072:71wfYylR1s/isFssMD6f0lanFxXFgIVyh/IdBTldzId4XegmaCF5ucG0rK:71+H1s/I2f0laiMy5IBZ6Fmclu
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} = "McAfee SiteAdvisor" regsvr32.exe -
Modifies registry class 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x64\\mcieplg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E2866A1-D239-411E-A35D-3CBC34C84E92}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E2866A1-D239-411E-A35D-3CBC34C84E92}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x64\\mcieplg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E2866A1-D239-411E-A35D-3CBC34C84E92}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ = "McAfee SACore Protocol Handler" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x64\\mcieplg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E2866A1-D239-411E-A35D-3CBC34C84E92} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sacore\CLSID = "{5513F07E-936B-4E52-9B00-067394E91CC5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sacore regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ = "McAfee SiteAdvisor BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x64\\mcieplg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E2866A1-D239-411E-A35D-3CBC34C84E92}\ = "McAfee MimeFilter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\ = "McAfee SiteAdvisor Toolbar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe