c6e380949e5aa4f040a79835636eb15a4cfa31e3993b62669e714200cfe06033

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.dll
Size

99KB
MD5

f3023c08b21f147fe30758d1b516d64c
SHA1

14e83612f1b314143ebae40bc44a745846c5d1b8
SHA256

c6e380949e5aa4f040a79835636eb15a4cfa31e3993b62669e714200cfe06033
SHA512

fa33aea213703ae74624c532dc8f0a7a6e517b7601b90c12df511881c36ce34ebf5d443c091be1b5b247f302f97e3ac90379880ec9ed7b9b288ad7d7f089817a
SSDEEP

1536:hYAqPeEGw7AqVE7Uu2TNb6RAWzkwj+gBeylyAi4zzXOfnFUcI0crbjUj:Z9XBKQj+gUyd3efnF1ArbjUj

Score

1^/10

Malware Config

Signatures

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}\ProgID\ = "f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.ShellExecuteHook1007"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.ShellExecuteHook1007\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.ShellExecuteHook1007\Clsid\ = "{8BAA7594-70F6-4895-BA1C-778C33327E83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAA7594-70F6-4895-BA1C-778C33327E83}\ = "Maihook1007"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.ShellExecuteHook1007	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.ShellExecuteHook1007\ = "Maihook1007"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28
PID 2164 wrote to memory of 2504	2164	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\f3023c08b21f147fe30758d1b516d64c_JaffaCakes118.dll
  2⤵
  - Modifies registry class
  PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2504-0-0x0000000000100000-0x000000000011B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads