Overview
overview
7Static
static
76a37efdff3...18.exe
windows7-x64
76a37efdff3...18.exe
windows10-2004-x64
7$PLUGINSDI...er.exe
windows7-x64
7$PLUGINSDI...er.exe
windows10-2004-x64
7$PLUGINSDI...BI.exe
windows7-x64
3$PLUGINSDI...BI.exe
windows10-2004-x64
3$PLUGINSDI...cc.exe
windows7-x64
7$PLUGINSDI...cc.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ed.htm
windows7-x64
1$PLUGINSDI...ed.htm
windows10-2004-x64
1$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...lp.dll
windows7-x64
1$PLUGINSDI...lp.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...ay.dll
windows7-x64
7$PLUGINSDI...ay.dll
windows10-2004-x64
7$PLUGINSDI...te.exe
windows7-x64
7$PLUGINSDI...te.exe
windows10-2004-x64
7$PLUGINSDI...st.dll
windows7-x64
1$PLUGINSDI...st.dll
windows10-2004-x64
3$PLUGINSDIR/xml.dll
windows7-x64
3$PLUGINSDIR/xml.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 07:38
Behavioral task
behavioral1
Sample
6a37efdff304091d8c708f2ae57be4ed_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral2
Sample
6a37efdff304091d8c708f2ae57be4ed_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/$_354_/ProxyInstaller.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/$_354_/ProxyInstaller.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/$_355_/BI.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/$_355_/BI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/$_356_/DownloadAcc.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/$_356_/DownloadAcc.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/BunndleOfferManager.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/BunndleOfferManager.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/Failed.htm
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/Failed.htm
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/FirefoxHandler.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/FirefoxHandler.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/execDos.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/execDos.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsArray.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsArray.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/wajam_validate.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/wajam_validate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/webapphost.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/webapphost.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/xml.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/xml.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
$PLUGINSDIR/BunndleOfferManager.dll
-
Size
339KB
-
MD5
f09bb97b9b8e2048fe562e78f761a0b7
-
SHA1
a7243e5768aea8717b22a6c7f0b144c5876dfe0f
-
SHA256
f65e438aa098d9e5742821763d355939724e923ea418ca7443439e7a409ba808
-
SHA512
430f4aa2945e366df3240ef96be3a1d0868383cb3a950cfe0b6fbf5fcd9cf239430900ae79bed3f55e15a50f365c8b021aa82c069826e96a355c8a7cfde66974
-
SSDEEP
6144:7yv0RMsT8lzZZOC4+OeO+OeN7VBBhhBBrXLsbg+vwzlTMw/8ZL8ITe:cYrAZOC4+OeO+OeNhBBhhBBzLsbg+vwd
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ = "IBunndleOfferManager2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\AppId = "{2C9E6EB4-45BD-4855-A0C2-4614D4C49DBA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ = "IBunndleOfferManager" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ = "IInstallScriptHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID\ = "Bunndle.BunndleOfferManager.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\ = "BunndleOfferManager 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\ = "BunndleOfferManager Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\BunndleOfferManager.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ = "IInstallScriptHelper" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CLSID\ = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CurVer\ = "Bunndle.BunndleOfferManager.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\CLSID\ = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ = "IBunndleOfferManager" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1444 wrote to memory of 1932 1444 regsvr32.exe regsvr32.exe PID 1444 wrote to memory of 1932 1444 regsvr32.exe regsvr32.exe PID 1444 wrote to memory of 1932 1444 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BunndleOfferManager.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BunndleOfferManager.dll2⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵