d5b686d617482418d77df05a64751e587d6f811cea6b29cff8c482f23b4811e8

General

Target

63f85dbccdd65f72ee66b50d74017c42_JaffaCakes118.dll
Size

122KB
MD5

63f85dbccdd65f72ee66b50d74017c42
SHA1

71ef8d77176ca387724da9b86fc4a087581aff64
SHA256

d5b686d617482418d77df05a64751e587d6f811cea6b29cff8c482f23b4811e8
SHA512

9af6902e07a501c04b74b5c2304e123e680d1d570fe52e0d9d967e20fd461ac4b5a876786b2f0304a5b96fa943a68892e12d151d3dde9e13cbbd38cf1910297a
SSDEEP

3072:AeyTP4+4n/iOw7ucmBbiIYdrX+EchOMCooYUBBHgkJLrx3RgOZIP53nDcVpwFz:jQ4+4naucQbDm95oOZIPoq

Score

1^/10

Malware Config

Signatures

Modifies registry class 61 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Insertable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}\ = "IViewCtl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32\14.0.0.0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Typelib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63f85dbccdd65f72ee66b50d74017c42_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OVCtl.OVCtl\CurVer\ = "OVCtl.OVCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}\ = "IObjectModelAccess"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Version\ = "1.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63f85dbccdd65f72ee66b50d74017c42_JaffaCakes118.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OVCtl.OVCtl\ = "Microsoft Outlook View Control"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\MiscStatus	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ = "Microsoft Outlook View Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\VersionIndependentProgID\ = "OVCtl.OVCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OVCtl.OVCtl.1\ = "Microsoft Outlook View Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\TypeLib\ = "{0006F062-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}\TypeLib\ = "{0006F062-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OVCtl.OVCtl.1\CLSID\ = "{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}\TypeLib\ = "{0006F062-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ProgID\ = "OVCtl.OVCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067274-0000-0000-C000-000000000046}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0006F062-0000-0000-C000-000000000046}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63f85dbccdd65f72ee66b50d74017c42_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}\ = "ViewCtlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA4CF450-EE13-11D3-8C45-00C04F4C517C}\TypeLib\ = "{0006F062-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067276-0000-0000-C000-000000000046}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 2240	1976	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\63f85dbccdd65f72ee66b50d74017c42_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\63f85dbccdd65f72ee66b50d74017c42_JaffaCakes118.dll
2⤵
- Modifies registry class
PID:2240

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads