Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8549c1d232a43b45a119e386fa837928_JaffaCakes118.dll
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
8549c1d232a43b45a119e386fa837928_JaffaCakes118.dll
-
Size
52KB
-
MD5
8549c1d232a43b45a119e386fa837928
-
SHA1
2ea3b4b3cceb2033f7ec99b1cfe616e6406ea93b
-
SHA256
97f760d1a461226af1ce3461208cd168042e2ad8ef7333e8b85f75fcb36f26eb
-
SHA512
3efda30133da06fde6b5ed5f192d7908f8d7166e1d80f5754e16bd040e3b9efa741e54dc74a32de87c883ef68e4691b3e8338e444d5b367e3ae0f02e19ebd730
-
SSDEEP
768:fDmG34nuY+mTMBnbKxzfZiy55p8Ku7VsCZUcfsUb0X0GTTLH27v6y8/imd8gyaTg:rJcIBKRXp8d79P30EGTnoJ8dRy
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2292 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2787680D-A6FC-4D72-A8EB-47988C8A616D} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2787680D-A6FC-4D72-A8EB-47988C8A616D}\NoExplorer = "1" regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}\DisplayName = "°Ù¶È" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}\URL = "http://www.baidu.com/s?tn=leizhen_dg&ie=utf-8&wd={searchTerms}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6C08444C-B736-4C01-99A8-4CC9E59A9BC9}\URL = "http://www.gggdu.com/google?q={searchTerms}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{20C3857E-3A7A-48FF-8C16-8BAFFDF5EE77}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6C08444C-B736-4C01-99A8-4CC9E59A9BC9} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6C08444C-B736-4C01-99A8-4CC9E59A9BC9}\DisplayName = "Google" regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000040000001f0000000000000001000000000000000000000005000000000400000000000002000000010000000000000004000000a100000000000000030000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000000000000000000000040000001f0000000000000001000000000000000000000005000000000400000000000002000000010000000000000004000000a100000000000000030000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 regsvr32.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2787680D-A6FC-4D72-A8EB-47988C8A616D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8549c1d232a43b45a119e386fa837928_JaffaCakes118.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell\OpenHomePage regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2787680D-A6FC-4D72-A8EB-47988C8A616D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2787680D-A6FC-4D72-A8EB-47988C8A616D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell\OpenHomePage\Command regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1628 wrote to memory of 1936 1628 regsvr32.exe 28 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29 PID 1936 wrote to memory of 2292 1936 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\8549c1d232a43b45a119e386fa837928_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\8549c1d232a43b45a119e386fa837928_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\8549c1d232a43b45a119e386fa837928_JaffaCakes118.dll",DllGetObjectType3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2292
-
-