Overview
overview
7Static
static
33a116b2c61...18.exe
windows7-x64
73a116b2c61...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...lp.dll
windows7-x64
1$PLUGINSDI...lp.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3IA2Marshal.dll
windows7-x64
1IA2Marshal.dll
windows10-2004-x64
1Interop.Shell32.dll
windows7-x64
1Interop.Shell32.dll
windows10-2004-x64
1Skybound.Gecko.dll
windows7-x64
1Skybound.Gecko.dll
windows10-2004-x64
1WallpaperMakerApp.exe
windows7-x64
1WallpaperMakerApp.exe
windows10-2004-x64
6content/co...log.js
windows7-x64
3content/co...log.js
windows10-2004-x64
3content/pi...ger.js
windows7-x64
3content/pi...ger.js
windows10-2004-x64
3content/pi...ror.js
windows7-x64
3content/pi...ror.js
windows10-2004-x64
3content/pi...ker.js
windows7-x64
3content/pi...ker.js
windows10-2004-x64
3Analysis
-
max time kernel
134s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
3a116b2c6122cd589c81807d8bdfb31d_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
3a116b2c6122cd589c81807d8bdfb31d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
IA2Marshal.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
IA2Marshal.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Interop.Shell32.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral20
Sample
Interop.Shell32.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Skybound.Gecko.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral22
Sample
Skybound.Gecko.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
WallpaperMakerApp.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
WallpaperMakerApp.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
content/cookie/cookieAcceptDialog.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
content/cookie/cookieAcceptDialog.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
content/pippki/certManager.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral28
Sample
content/pippki/certManager.js
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
content/pippki/certerror.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
content/pippki/certerror.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
content/pippki/certpicker.js
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral32
Sample
content/pippki/certpicker.js
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
IA2Marshal.dll
-
Size
23KB
-
MD5
d7a8d54446d61432edd4a12a0a98ac5f
-
SHA1
a3497a6e70d59a311f81771a7143a5ae9245d5f7
-
SHA256
17dd0bad9ab96d7a2ca4b5d384c88cbabdc0cceab812b2f4eb5e62644ab6a6cf
-
SHA512
7488a75307f0f260ea6470f9539fffdbc6eacdb967ece8e1bdedb39e1e44b4b5a3dd9f05387f737da93f7e4fa48b28d015c8160ef98ac298a3177bf085631934
-
SSDEEP
384:JpWYarFTQ4nziIIKbTQ4n3fPvAdZwSy4:Jn4zNdg43PAXy
Malware Config
Signatures
-
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01C20F2B-3DD2-400F-949F-AD00BDAB1D41} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35AD8070-C20C-4FB4-B094-F4F7275DD469}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35855B5B-C566-4FD0-A7B1-E65465600394} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IA2Marshal.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}\NumMethods regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E89F726E-C4F4-4C19-BB19-B647D7FA8478} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CDF86EE-C3DA-496A-BDA4-281B336E1FDC}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CDF86EE-C3DA-496A-BDA4-281B336E1FDC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35AD8070-C20C-4FB4-B094-F4F7275DD469}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35855B5B-C566-4FD0-A7B1-E65465600394}\NumMethods regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01C20F2B-3DD2-400F-949F-AD00BDAB1D41}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35855B5B-C566-4FD0-A7B1-E65465600394}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01C20F2B-3DD2-400F-949F-AD00BDAB1D41}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35AD8070-C20C-4FB4-B094-F4F7275DD469} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CDF86EE-C3DA-496A-BDA4-281B336E1FDC}\ProxyStubClsid32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3740 wrote to memory of 1732 3740 regsvr32.exe 83 PID 3740 wrote to memory of 1732 3740 regsvr32.exe 83 PID 3740 wrote to memory of 1732 3740 regsvr32.exe 83