a1d063654a16048553c0a16b610b945364a6884776898a02cc53edbad9b93bbc

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 09:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe
Size

77KB
MD5

0b7202ffe8bdde54054493b3915c4d0b
SHA1

c56e1425225dd5d37f7329597b2bbb50a5b654c8
SHA256

a1d063654a16048553c0a16b610b945364a6884776898a02cc53edbad9b93bbc
SHA512

1809ef2ceaca82768ccd79f5f8fc6df53563f94f9e1739b546c5b05ccdc12516a3d2bee69b7e9120575a6d84ecb34115fbf11a7ba38a9fe88d204396847ce531
SSDEEP

1536:ImQeikVmFDGhg2n2i4hu3HFP8L0FzahsminMGldn3aZyO:yeikIFDGhg2n2t7smiap

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asa	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.html	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1812	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29
PID 2168 wrote to memory of 1692	2168	0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b7202ffe8bdde54054493b3915c4d0b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\SysWOW64\regsvr32 /s C:\Windows\SysWOW64\Scrrun.dll
  2⤵
  - Modifies registry class
  PID:1812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\SysWOW64\regsvr32 /s C:\Windows\SysWOW64\ConverterM.dll
  2⤵
  PID:1692

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads