Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 02:53
Static task
static1
Behavioral task
behavioral1
Sample
8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe
-
Size
75KB
-
MD5
8ec80f0c252e4428e2e383aad8cc212a
-
SHA1
4635ab9c4a56f4846b5872c9abede2b68819fe8b
-
SHA256
dc7df90dc4e9c9898f92023224b4e20a791b728543c5ec7f5703f6880f4e42d1
-
SHA512
211a1f9db2ed646e86596e57648dc6bbb63401d1830109bd85a70092e4df490c2280e9879a845ecbe2dbd842ef7447ea8a4d9d0f966d52b4d0e96e7385fa9775
-
SSDEEP
1536:QXWwODtX2W5AUSrKev9yG0hcEptq60gm0UlBdDz7F0grZetx9mAN:YWbOrF9PC0MSlJRsIAN
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 912 regsvr32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\NoExplorer = "1" regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ieocx.dll 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\don't load 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\don't load\scui.cpl = "No" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\don't load\wscui.cpl = "No" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\InprocServer32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\ = "DHCP 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A54DC52D-7AAD-4D40-A126-337211631EDC}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\VersionIndependentProgID\ = "IEocxApp.IEocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A54DC52D-7AAD-4D40-A126-337211631EDC}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{A54DC52D-7AAD-4D40-A126-337211631EDC}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\ProgID\ = "IEocxApp.IEocx.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\TypeLib\ = "{a54dc52d-7aad-4d40-a126-337211631edc}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{A54DC52D-7AAD-4D40-A126-337211631EDC}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A54DC52D-7AAD-4D40-A126-337211631EDC}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2744 wrote to memory of 912 2744 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 87 PID 2744 wrote to memory of 912 2744 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 87 PID 2744 wrote to memory of 912 2744 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 87 PID 2744 wrote to memory of 2828 2744 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 88 PID 2744 wrote to memory of 2828 2744 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 88 PID 2744 wrote to memory of 2828 2744 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 88 PID 2828 wrote to memory of 3592 2828 net.exe 90 PID 2828 wrote to memory of 3592 2828 net.exe 90 PID 2828 wrote to memory of 3592 2828 net.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe"1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:912
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:3592
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD574b6a00a13cb371c4c919da8e44eac5e
SHA1baa584419445c50188ce895947bc5783bde5ea5c
SHA25621511fea07b56208026de586fd4ed1d204a2b74124f5437cc3d1deeffb21d471
SHA51273ef4be67472a7299ae024d455aadb3069ee2eef746f98a9a43b5fa2b89fcf6017a202d1b81626c1926c0920946191dab23360a8be7afb3f5e909c3565f66828