Overview
overview
7Static
static
3bb98eac438...18.exe
windows7-x64
7bb98eac438...18.exe
windows10-2004-x64
7$PLUGINSDI...ad.dll
windows7-x64
3$PLUGINSDI...ad.dll
windows10-2004-x64
3$PLUGINSDI...st.dll
windows7-x64
3$PLUGINSDI...st.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3options.html
windows7-x64
3options.html
windows10-2004-x64
3popup.html
windows7-x64
3popup.html
windows10-2004-x64
3profilinstylin.js
windows7-x64
3profilinstylin.js
windows10-2004-x64
3utils.html
windows7-x64
3utils.html
windows10-2004-x64
3interop.shdocvw.dll
windows7-x64
1interop.shdocvw.dll
windows10-2004-x64
1microsoft.mshtml.dll
windows7-x64
1microsoft.mshtml.dll
windows10-2004-x64
1profilinstylin.dll
windows7-x64
1profilinstylin.dll
windows10-2004-x64
1profilinst...ild.sh
ubuntu-18.04-amd64
6profilinst...ild.sh
debian-9-armhf
3profilinst...ild.sh
debian-9-mips
3profilinst...ild.sh
debian-9-mipsel
3profilinst...ild.sh
ubuntu-18.04-amd64
profilinst...ild.sh
debian-9-armhf
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 03:51
Static task
static1
Behavioral task
behavioral1
Sample
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LockedList.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LockedList.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
options.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
options.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
popup.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
popup.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
profilinstylin.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
profilinstylin.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
utils.html
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
utils.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
interop.shdocvw.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
interop.shdocvw.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
microsoft.mshtml.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
microsoft.mshtml.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
profilinstylin.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
profilinstylin.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
profilinstylin/build.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral28
Sample
profilinstylin/build.sh
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral29
Sample
profilinstylin/build.sh
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral30
Sample
profilinstylin/build.sh
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral31
Sample
profilinstylin/config_build.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral32
Sample
profilinstylin/config_build.sh
Resource
debian9-armhf-20240611-en
debian-9-armhf
General
-
Target
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe
-
Size
837KB
-
MD5
bb98eac43874f2f08babddfd2a879bae
-
SHA1
b844a4ce25584e095057bb115084f6b2160794f6
-
SHA256
71ed6fd674e384ddc915e47f5eac03ae4c21157b591c4af85880426be3c5d227
-
SHA512
be00e7693d7cd95e84ed7985ab304ca67dd94064f3712953661459f7d757099f7dc5166125f0dd0637985c5e7b970541843aba1c29a52aafd5a9f7bf007af4d5
-
SSDEEP
24576:BmSHHHHHJ9B2KctXn7wVD+RASAd2XhA5N26:VHHHHHPB2KYLwNrSAd2XhCo6
Malware Config
Signatures
-
Loads dropped DLL 14 IoCs
Processes:
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exeregasm.exepid Process 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 2792 regasm.exe 2792 regasm.exe 2792 regasm.exe 2792 regasm.exe 2792 regasm.exe 2792 regasm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regasm.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cbfb5c65-652c-3e10-9d9a-e586816d9342} regasm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cbfb5c65-652c-3e10-9d9a-e586816d9342}\NoExplorer = "1" regasm.exe -
Drops file in Program Files directory 24 IoCs
Processes:
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exedescription ioc Process File created C:\Program Files (x86)\profilinstylin\profilinstylin\chrome.manifest bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\readme.txt bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\content\firefoxOverlay.xul bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\content\sudoku.js bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\defaults\preferences\sudoku.js bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\locale\en-US\.DS_Store bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin_Uninstall.exe bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\content\overlay.js bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\defaults\.DS_Store bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\defaults\preferences\.DS_Store bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\locale\.DS_Store bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\locale\en-US\sudoku.properties bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin.dll bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\build.sh bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\config_build.sh bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\files bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\install.rdf bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\content\.DS_Store bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\content\installid.js bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\skin\overlay.css bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\interop.shdocvw.dll bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\microsoft.mshtml.dll bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\profilinstylin\locale\en-US\sudoku.dtd bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe File created C:\Program Files (x86)\profilinstylin\extension_2_5_1.crx bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exeregasm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe -
Modifies registry class 45 IoCs
Processes:
regasm.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\Implemented Categories regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\ProgId\ = "BHO_HelloWorld.BHO" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\1.0.0.0\Assembly = "profilinstylin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\Assembly = "profilinstylin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_HelloWorld.BHO\CLSID regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\Class = "BHO_HelloWorld.BHO" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\1.0.0.0 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Encryption.TripleDESEncryption\CLSID regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\1.0.0.0\Assembly = "profilinstylin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Encryption.TripleDESEncryption\ = "Encryption.TripleDESEncryption" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\ThreadingModel = "Both" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\1.0.0.0 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Program Files (x86)/profilinstylin/profilinstylin.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\Assembly = "profilinstylin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Encryption.TripleDESEncryption regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/profilinstylin/profilinstylin.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_HelloWorld.BHO\CLSID\ = "{CBFB5C65-652C-3E10-9D9A-E586816D9342}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\ThreadingModel = "Both" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\ = "mscoree.dll" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\ProgId regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_HelloWorld.BHO regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_HelloWorld.BHO\ = "BHO_HelloWorld.BHO" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\ = "BHO_HelloWorld.BHO" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\ = "Encryption.TripleDESEncryption" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/profilinstylin/profilinstylin.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\ProgId regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\RuntimeVersion = "v2.0.50727" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\Class = "Encryption.TripleDESEncryption" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\RuntimeVersion = "v2.0.50727" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\InprocServer32\1.0.0.0\Class = "Encryption.TripleDESEncryption" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}\ProgId\ = "Encryption.TripleDESEncryption" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\ = "mscoree.dll" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\1.0.0.0\Class = "BHO_HelloWorld.BHO" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Encryption.TripleDESEncryption\CLSID\ = "{3BE9AF61-4DBB-342E-B8F3-B0BEF3BF553D}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Program Files (x86)/profilinstylin/profilinstylin.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBFB5C65-652C-3E10-9D9A-E586816D9342}\Implemented Categories regasm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exepid Process 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exedescription pid Process procid_target PID 1388 wrote to memory of 2792 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 92 PID 1388 wrote to memory of 2792 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 92 PID 1388 wrote to memory of 2792 1388 bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb98eac43874f2f08babddfd2a879bae_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe "C:\Program Files (x86)\profilinstylin\profilinstylin.dll" /codebase2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5b94fe26050179b997090fa876d3c4529
SHA1a9d988c97a50557a133b9a029594b936abbd87d7
SHA25606022189b499198ce68829370e8adc8a57de16289984865d325ded6368fc3f56
SHA5124bd556d724962a57af08054a5c60aefa533e0cb225f5793bca7a47145923156456a45f1f634ce787021a948e1f62bb204ad1eb4c2bfbd4335e33626aeda14d00
-
Filesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
Filesize
31KB
MD5d6c18c9cdb750d7b23d5c9806b204a62
SHA1b41a65ca3115ca14102dccdf0818ac229af9461e
SHA256ee9201059695cde4aa728d9b0fd1a06278cdd6a6803c934e9d9d20fd420909e5
SHA512fc44d28a75d07e51222027dfe1b06f3bfe5454f3db3ab47d880cee0be96df31c3c82fd7c8e45b073eead741101a6eb6306bef53f4cf99e6279049f748cccc692
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
