cb0d38ffc9ac0ef874d2c6942154077cdbdccbbf596b8e40b9360af1f27e552c

General

Target

64799af6b4784760bb451056ab7a1205_JaffaCakes118.dll
Size

199KB
MD5

64799af6b4784760bb451056ab7a1205
SHA1

b302a6e7dee7043925cd30a905fd4c4233a8064b
SHA256

cb0d38ffc9ac0ef874d2c6942154077cdbdccbbf596b8e40b9360af1f27e552c
SHA512

b7b68dbebf6ecc4de6e42582b1229cdb56fb9d2a5da1a7d60a6c8ed7524a72e1e8cca144e377d3e4067cd5e7d808585ead1fa3e6927bcad2da8e1b66ea61290e
SSDEEP

3072:Q2yywZ8NOAf90tLOsFZdASaIaOXUX1RmY1viVg6y/jg9FdYJEhN9dTmmkSER/Um4:c78vfEBFZdASUT1RmMQxFdYJErlj6f

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ = "IOLEObjects"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib\Version = "1.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ = "DRichTextEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib\Version = "1.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\ = "Microsoft Rich Textbox Control 6.0 (SP4)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Version\ = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CurVer\ = "RICHTEXT.RichtextCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ = "IRichText"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64799af6b4784760bb451056ab7a1205_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64799af6b4784760bb451056ab7a1205_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64799af6b4784760bb451056ab7a1205_JaffaCakes118.dll, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ = "IRichText"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1\ = "Microsoft Rich Textbox Control 6.0 (SP4)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\ = "Microsoft Rich Textbox Control 6.0 (SP4)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2752 wrote to memory of 2628	2752	regsvr32.exe	regsvr32.exe
PID 2752 wrote to memory of 2628	2752	regsvr32.exe	regsvr32.exe
PID 2752 wrote to memory of 2628	2752	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\64799af6b4784760bb451056ab7a1205_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\64799af6b4784760bb451056ab7a1205_JaffaCakes118.dll
2⤵
- Modifies registry class
PID:2628

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads