Overview
overview
7Static
static
3de89b60e03...18.exe
windows7-x64
7de89b60e03...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PROGRAMFI...ll.exe
windows7-x64
7$PROGRAMFI...ll.exe
windows10-2004-x64
7$PLUGINSDI...ad.dll
windows7-x64
3$PLUGINSDI...ad.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...te.dll
windows7-x64
3$PLUGINSDI...te.dll
windows10-2004-x64
3$_8_/ics_t...R0.dll
windows7-x64
6$_8_/ics_t...R0.dll
windows10-2004-x64
6Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
de89b60e03ead9a168ff08e893e7d585_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
de89b60e03ead9a168ff08e893e7d585_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PROGRAMFILES/ics_toolbar/uninstall.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
$PROGRAMFILES/ics_toolbar/uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/locate.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/locate.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_8_/ics_toolbar/$R0.dll
Resource
win7-20240903-en
windows7-x64
General
-
Target
$_8_/ics_toolbar/$R0.dll
-
Size
1.9MB
-
MD5
f1282f02b53154b512c835a373b6dc05
-
SHA1
c4280dd668705465513512824555e2e66b5afe0f
-
SHA256
cbf22c1090741eac1d055136a97aaa42aaef7b9644d37b8a9ab88680c0ccda7c
-
SHA512
1bedd448843efb496ebe79100c791fedca7a0c5a4e28b4edd723b2e5569c402eeb1581132b738809a08e9c5a63a992e4a6d54f9c7ed5e418bf743791b7cfa9a4
-
SSDEEP
24576:A2lzv3EifooUZeerxeThERUekCNArBnFXaI+731wu2724sNjJ9KRrmNByD:Ae/qeJOArFdaI+7Fo64sX9CrmNA
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A057A204-BACC-4D26-9C92-30A187E26996} regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A057A204-BACC-4D26-9C92-30A187E26996} = "56580877" regsvr32.exe -
Modifies registry class 33 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_8_\\ics_toolbar\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARToggle Button\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998}\ = "ICS_TOOLBARMenu Button" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998}\ProgID\ = "$R0.ICS_TOOLBARMenu Button" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBAR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARToggle Button regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARToggle Button\ = "ICS_TOOLBARToggle Button" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARMenu Button\Clsid\ = "{A057A204-BACC-4D26-9C92-30A187E26998}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_8_\\ics_toolbar\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996}\ = "ICS_TOOLBAR" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBAR\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997}\ProgID\ = "$R0.ICS_TOOLBARToggle Button" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBAR\ = "ICS_TOOLBAR" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARToggle Button\Clsid\ = "{A057A204-BACC-4D26-9C92-30A187E26997}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARMenu Button regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARMenu Button\ = "ICS_TOOLBARMenu Button" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26998}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBAR\Clsid\ = "{A057A204-BACC-4D26-9C92-30A187E26996}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997}\ = "ICS_TOOLBARToggle Button" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.ICS_TOOLBARMenu Button\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_8_\\ics_toolbar\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26996}\ProgID\ = "$R0.ICS_TOOLBAR" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A057A204-BACC-4D26-9C92-30A187E26997} regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2044 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31 PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31 PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31 PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31 PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31 PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31 PID 2280 wrote to memory of 2044 2280 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_8_\ics_toolbar\$R0.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$_8_\ics_toolbar\$R0.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2044
-