58c829a9228e1830d3c70e047289d33912f5158610d5d05fa31b7294619ccd65

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 09:09

Target

cf7b3f401b51e155a9aad89bc6b7f990_JaffaCakes118.dll
Size

910KB
MD5

cf7b3f401b51e155a9aad89bc6b7f990
SHA1

9f7288a1de661438ead5754641693dbf3062fdc0
SHA256

58c829a9228e1830d3c70e047289d33912f5158610d5d05fa31b7294619ccd65
SHA512

058e18ddd4bd2069cfe89ac6d98cee48f3021e4a920bbbb01faae1fde98464d276e4856f59d7fe394f917905db550f1fe955984579d3573666404aaa06040ac9
SSDEEP

12288:eGhVZ2UN3TW/Fo2H5TyMNtsDc/l35exDDdGhVZ2UN3TW/Fo2H5TyMNtsDc/l35e2:hqeVcqeVcqeV

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\ = "XACT Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cf7b3f401b51e155a9aad89bc6b7f990_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4920	3132	regsvr32.exe	85
PID 3132 wrote to memory of 4920	3132	regsvr32.exe	85
PID 3132 wrote to memory of 4920	3132	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cf7b3f401b51e155a9aad89bc6b7f990_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\cf7b3f401b51e155a9aad89bc6b7f990_JaffaCakes118.dll
  2⤵
  - Modifies registry class
  PID:4920