Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:11

General

  • Target

    JaffaCakes118_633b0b777e7833682d3b27d889421112.exe

  • Size

    40KB

  • MD5

    633b0b777e7833682d3b27d889421112

  • SHA1

    158bc4c6296ab061f0cef84859577b97b599b665

  • SHA256

    1476418fe69abf69d07b8824533174b4312c48da8b27bef508ab9c5fd1ef1131

  • SHA512

    1ca6e37084f2941103fd285d3e3555f22e6c2ffb6b091250eac503c24dd8823d5c8e6b6d9a2208f7490678f3cb7e5acbcd6839e5ffa3033e25648e7365f95c8d

  • SSDEEP

    768:symya2hWn6F6Od/4S4q9+jNPWaZTX27C9O3Ucpu:s2aUWnPOtSPWa399cu

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"
    1⤵
    • Installs/modifies Browser Helper Object
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2336
    • C:\Windows\syswow64\REGSVR32.EXE
      C:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2480-5-0x0000000004340000-0x0000000004752000-memory.dmp

          Filesize

          4.1MB