Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe
-
Size
556KB
-
MD5
5c4bc26caed4fbeca8026e18b58eb0d9
-
SHA1
b325151aa6e6ba2155c4b81e51fa36aea9e62588
-
SHA256
6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
-
SHA512
992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10
-
SSDEEP
12288:I9cONi+mj169epUzdmpN2aAbFc0G+lZs8EmShYPtZww4M76kSA4drG:YvNi+m1Oz4po5c0G+lefJhY/wW7ZAQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2556 dmutil32.exe 2728 api-ms-win-core-localization-l1-2-032.exe -
Loads dropped DLL 3 IoCs
pid Process 2812 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe 2556 dmutil32.exe 2556 dmutil32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6} JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File opened for modification C:\Windows\SysWOW64\2045796327 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File created C:\Windows\SysWOW64\dmutil32.exe JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File opened for modification C:\Windows\SysWOW64\dmutil32.exe JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File opened for modification C:\Windows\SysWOW64\2045796327 dmutil32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language api-ms-win-core-localization-l1-2-032.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dmutil32.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\Software\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19\Software\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\Software\Tnsbjvyajo JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Tnsbjvyajo JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19\Software\Tnsbjvyajo JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ea8361b-554b-4884-bcaf-c204afc9d680} JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6} JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32\ThreadingModel = "Both" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Software\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{c45e9028-2985-4bf5-8b13-8eeb9a25296f}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2812 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2728 2556 dmutil32.exe 30 PID 2556 wrote to memory of 2728 2556 dmutil32.exe 30 PID 2556 wrote to memory of 2728 2556 dmutil32.exe 30 PID 2556 wrote to memory of 2728 2556 dmutil32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
C:\Windows\SysWOW64\dmutil32.exeC:\Windows\SysWOW64\dmutil32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\ProgramData\api-ms-win-core-localization-l1-2-032.exeschutz2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556KB
MD55c4bc26caed4fbeca8026e18b58eb0d9
SHA1b325151aa6e6ba2155c4b81e51fa36aea9e62588
SHA2566985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
SHA512992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10
-
Filesize
35B
MD5dda01966a5980b296846651a96adaa6f
SHA18443bdcf0db537846a54f96317a6d1b1fa0917a9
SHA256e7f5aabc475c6736833d079010b0775caa3928d529d5f2a2a3071cf470cffe86
SHA5129b0e685cf3807f0ac4271c53475bd0a8236b3ba630d75788743991db8d29f0daa9c8dc770757f8c9f1431d1f04fb0d367302b75212548443622d2bfca5667816
-
Filesize
91B
MD5ecd882f2dbfd7625915551727ddce092
SHA1ecdbc1cefaaa0f5ef78016c4531b9eb74f195f9c
SHA256dbe196113fe07ebc7650c6b9e57fd7376a286b0137b9dd821ac5c103b6cc04a5
SHA51283b76814cb9a69909449c20c3cd77599a8b75d8203ae85d7534e2675f5b13c09904fd86cdcd6361b8d34ed66eb8ed2f4a2406dfc9412df90a16b4664e1cc7e2e
-
Filesize
349KB
MD5039a15a688868e70e8f524dd085de889
SHA1696707392807a8a12a186eace7f2988fa99d0410
SHA2569df4737585de117e0de9b51cc4c047caf818cd3568c94b87a003a40ad99992fa
SHA5128e6c40cf4241cf66adf0bd0cd5efb8621b92b2c444e3ec20daa02b36268a5aa9a70577ef8d480e3b6fea7b72f9c31657cddf5d4d652bc2403637dbdb9d0decd7