Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 01:17
Behavioral task
behavioral1
Sample
0837448d01426608a66931b99151e4c3_JaffaCakes118.dll
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
0837448d01426608a66931b99151e4c3_JaffaCakes118.dll
-
Size
237KB
-
MD5
0837448d01426608a66931b99151e4c3
-
SHA1
b6133b217f8163f519f16366d6d187887f8c3e3f
-
SHA256
eb1b66ee7a3ead7b51e420615a74b0032cdf94e1d64b1de12497455d593a08b8
-
SHA512
f3edd1089d6f2ba8abeeac18d852bc7ae056df8af06dc5f7a60c1f01d8fbfce219f8bb627423ebdd2fbb581fa875f785348e4787f685985428325f301a1f00c3
-
SSDEEP
6144:GD/hMJCeHCP+7+MkgYN6d6bTr8bDBIF1QKFGPmaMn:GD5MJCeHikfZYN6dUeDebB
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328} regsvr32.exe -
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x00000000004A2000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0837448d01426608a66931b99151e4c3_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4000 4888 regsvr32.exe 82 PID 4888 wrote to memory of 4000 4888 regsvr32.exe 82 PID 4888 wrote to memory of 4000 4888 regsvr32.exe 82
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0837448d01426608a66931b99151e4c3_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0837448d01426608a66931b99151e4c3_JaffaCakes118.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4000
-