Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 16:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.dll
-
Size
644KB
-
MD5
5ca76fa66e2673d7e0e8d7eb04eb4623
-
SHA1
2ff3812826ecb6e78ec5a3b4aa6e2a125d1c0433
-
SHA256
6ef40af417bad766e468541e1e094de80cf25c5966608295c2cb78789f19eeb3
-
SHA512
1c4d1827803531ffa1c31786f08de5d494fa2d7e1d370b0a4efa2baddcf776915bb9820679ac344591a84498b390ff63fdb4450dda9eed73da7c424096a41d2a
-
SSDEEP
12288:2viGqB8vFJySCXSs9/NAolnnMATPxhOLgZs3e4I6kMHeIBv7pj:26Gw8Ty3XXplnjlhOLgZs3NHXeIBT
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CC01FC6C-EE8A-4928-7E9C-D824954461C4} regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4}\ = "sb" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.sb\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.sb\Clsid\ = "{CC01FC6C-EE8A-4928-7E9C-D824954461C4}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4}\ProgID\ = "JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.sb" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.sb regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.sb\ = "sb" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-EE8A-4928-7E9C-D824954461C4}\ProgID regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30 PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30 PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30 PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30 PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30 PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30 PID 2408 wrote to memory of 2104 2408 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ca76fa66e2673d7e0e8d7eb04eb4623.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104
-