42ed9d768f1f39a738dd36c2c4fcc8e846f45517f3ff05d145ff4ca987fa2dfe

Analysis

max time kernel
142s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 21:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64c56a7f0a3f5152428a0ba9121794ea_JaffaCakes118.dll
Size

5KB
MD5

64c56a7f0a3f5152428a0ba9121794ea
SHA1

e6b4227d43de5cd31cc8e4ce12e0c980750a432d
SHA256

42ed9d768f1f39a738dd36c2c4fcc8e846f45517f3ff05d145ff4ca987fa2dfe
SHA512

2087000c9bc150c658ec1dc974c29fb9564366f391fb9938ebbdbfec90bd76e91aa4511b26989131d895696fe61861cbb6b12beea79c02299d0278292f77372f
SSDEEP

48:NpYZOp+Kwfo2mmsuvgx/74Pb6cuL92n19DZN+nAyG7BWcss4svxCj0ie:NpkVKOi0xxe2n19TCA39Wcfnp3

Score

1^/10

Malware Config

Signatures

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E972830F-9A57-49D4-90A0-D3D289C71CF2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\ = "IVideoSet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\ProxyStubClsid32\ = "{509C4001-13C5-11D5-8F2A-0080C84E9C39}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E972830F-9A57-49D4-90A0-D3D289C71CF2}\ProxyStubClsid32\ = "{509C4001-13C5-11D5-8F2A-0080C84E9C39}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4A7B79D-4473-4C4F-8F26-E240BFEDB72A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC8869C0-D263-49FE-BF43-4682BF7EA183}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AA0EC6-10E5-494C-AE9B-5541264CE597}\ProxyStubClsid32\ = "{509C4001-13C5-11D5-8F2A-0080C84E9C39}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E972830F-9A57-49D4-90A0-D3D289C71CF2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4A7B79D-4473-4C4F-8F26-E240BFEDB72A}\ = "IVideoSet3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AA0EC6-10E5-494C-AE9B-5541264CE597}\NumMethods\ = "47"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{509C4001-13C5-11D5-8F2A-0080C84E9C39}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64c56a7f0a3f5152428a0ba9121794ea_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AA0EC6-10E5-494C-AE9B-5541264CE597}\ = "ICLAudProp3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E972830F-9A57-49D4-90A0-D3D289C71CF2}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC8869C0-D263-49FE-BF43-4682BF7EA183}\ = "IDxvaConfig"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AA0EC6-10E5-494C-AE9B-5541264CE597}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AA0EC6-10E5-494C-AE9B-5541264CE597}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4A7B79D-4473-4C4F-8F26-E240BFEDB72A}\ProxyStubClsid32\ = "{509C4001-13C5-11D5-8F2A-0080C84E9C39}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4A7B79D-4473-4C4F-8F26-E240BFEDB72A}\NumMethods\ = "33"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC8869C0-D263-49FE-BF43-4682BF7EA183}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4A7B79D-4473-4C4F-8F26-E240BFEDB72A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E972830F-9A57-49D4-90A0-D3D289C71CF2}\NumMethods\ = "24"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4A7B79D-4473-4C4F-8F26-E240BFEDB72A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC8869C0-D263-49FE-BF43-4682BF7EA183}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC8869C0-D263-49FE-BF43-4682BF7EA183}\ProxyStubClsid32\ = "{509C4001-13C5-11D5-8F2A-0080C84E9C39}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC8869C0-D263-49FE-BF43-4682BF7EA183}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{509C4001-13C5-11D5-8F2A-0080C84E9C39}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E972830F-9A57-49D4-90A0-D3D289C71CF2}\ = "IVideoSet2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AA0EC6-10E5-494C-AE9B-5541264CE597}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509C4001-13C5-11D5-8F2A-0080C84E9C39}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4552	2452	regsvr32.exe	91
PID 2452 wrote to memory of 4552	2452	regsvr32.exe	91
PID 2452 wrote to memory of 4552	2452	regsvr32.exe	91

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\64c56a7f0a3f5152428a0ba9121794ea_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\64c56a7f0a3f5152428a0ba9121794ea_JaffaCakes118.dll
  2⤵
  - Modifies registry class
  PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
1⤵
PID:380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4552-0-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads