Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe
-
Size
556KB
-
MD5
5c4bc26caed4fbeca8026e18b58eb0d9
-
SHA1
b325151aa6e6ba2155c4b81e51fa36aea9e62588
-
SHA256
6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
-
SHA512
992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10
-
SSDEEP
12288:I9cONi+mj169epUzdmpN2aAbFc0G+lZs8EmShYPtZww4M76kSA4drG:YvNi+m1Oz4po5c0G+lefJhY/wW7ZAQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4492 odbctrac32.exe 2432 agentactivationruntimewindows32.exe -
Loads dropped DLL 1 IoCs
pid Process 640 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{136971C9-FED1-4571-9D36-A175B4E90C42} JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\974975309 odbctrac32.exe File created C:\Windows\SysWOW64\agentactivationruntimewindows32.dll JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File opened for modification C:\Windows\SysWOW64\974975309 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File created C:\Windows\SysWOW64\odbctrac32.exe JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe File opened for modification C:\Windows\SysWOW64\odbctrac32.exe JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agentactivationruntimewindows32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbctrac32.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Modifies data under HKEY_USERS 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Hbsatpnuwd JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\Software\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Hbsatpnuwd JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19\Software\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Hbsatpnuwd JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-19 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45d14cf6-0937-49bd-8298-07e84fc532fa} JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42} JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{a35d3dea-816c-4752-80f2-6fb0e4f6396a}" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32\ = "C:\\Windows\\SysWow64\\agentactivationruntimewindows32.dll" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32\ThreadingModel = "Both" JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd\CLSID JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 640 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe 640 JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4492 wrote to memory of 2432 4492 odbctrac32.exe 83 PID 4492 wrote to memory of 2432 4492 odbctrac32.exe 83 PID 4492 wrote to memory of 2432 4492 odbctrac32.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:640
-
C:\Windows\SysWOW64\odbctrac32.exeC:\Windows\SysWOW64\odbctrac32.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\ProgramData\agentactivationruntimewindows32.exeschutz2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD571723132c62124e5dd0d4e39bc72ece8
SHA1338a09b62eea797f4335cf6019fbfdbaa410997d
SHA2560d33358e318803c05f591c107ca9d8575635ccffcf3b33cfe5c44168ee5756de
SHA512fc8827b5b1887127be940bf01e2db816f1a60263830e0b916e92e27f9c6a23b56bb0035004297778fe5a6554d5686cbb4894205b59a3f32a90bcd67eb1157baa
-
Filesize
84B
MD53670d2494d8baec069f3a068668fd463
SHA11a68de1762b920fbe19385fb3d1a262a30bb1ceb
SHA2561451f3e2dca6c70601925d813f52b7c84988c702ccb2c07c57a598126a23ea56
SHA5129ef097bd95428bff95d3a9cfb0f93538d664f9908e74420980ba5fe289fefcb78f19349d2dabe7d907c1614c112d5a5355dccfcc82466eb9f6813adec49ac74c
-
Filesize
349KB
MD5039a15a688868e70e8f524dd085de889
SHA1696707392807a8a12a186eace7f2988fa99d0410
SHA2569df4737585de117e0de9b51cc4c047caf818cd3568c94b87a003a40ad99992fa
SHA5128e6c40cf4241cf66adf0bd0cd5efb8621b92b2c444e3ec20daa02b36268a5aa9a70577ef8d480e3b6fea7b72f9c31657cddf5d4d652bc2403637dbdb9d0decd7
-
Filesize
556KB
MD55c4bc26caed4fbeca8026e18b58eb0d9
SHA1b325151aa6e6ba2155c4b81e51fa36aea9e62588
SHA2566985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
SHA512992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10