Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:11
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_633b0b777e7833682d3b27d889421112.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_633b0b777e7833682d3b27d889421112.exe
-
Size
40KB
-
MD5
633b0b777e7833682d3b27d889421112
-
SHA1
158bc4c6296ab061f0cef84859577b97b599b665
-
SHA256
1476418fe69abf69d07b8824533174b4312c48da8b27bef508ab9c5fd1ef1131
-
SHA512
1ca6e37084f2941103fd285d3e3555f22e6c2ffb6b091250eac503c24dd8823d5c8e6b6d9a2208f7490678f3cb7e5acbcd6839e5ffa3033e25648e7365f95c8d
-
SSDEEP
768:symya2hWn6F6Od/4S4q9+jNPWaZTX27C9O3Ucpu:s2aUWnPOtSPWa399cu
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ JaffaCakes118_633b0b777e7833682d3b27d889421112.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ JaffaCakes118_633b0b777e7833682d3b27d889421112.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\addins\MediaPlay.dll JaffaCakes118_633b0b777e7833682d3b27d889421112.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_633b0b777e7833682d3b27d889421112.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REGSVR32.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid JaffaCakes118_633b0b777e7833682d3b27d889421112.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass JaffaCakes118_633b0b777e7833682d3b27d889421112.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1204 reg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1412 wrote to memory of 2812 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 85 PID 1412 wrote to memory of 2812 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 85 PID 1412 wrote to memory of 2812 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 85 PID 2812 wrote to memory of 1204 2812 cmd.exe 87 PID 2812 wrote to memory of 1204 2812 cmd.exe 87 PID 2812 wrote to memory of 1204 2812 cmd.exe 87 PID 1412 wrote to memory of 2832 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 89 PID 1412 wrote to memory of 2832 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 89 PID 1412 wrote to memory of 2832 1412 JaffaCakes118_633b0b777e7833682d3b27d889421112.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1204
-
-
-
C:\Windows\SysWOW64\REGSVR32.EXEC:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll2⤵
- System Location Discovery: System Language Discovery
PID:2832
-