6a15746ec8c07fcc5f10e6cc85049b44be07824bd6c66aeb45994d3274c7fa25

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

816e97b8ad62f096c6c02ae899ef97db_JaffaCakes118.dll
Size

83KB
MD5

816e97b8ad62f096c6c02ae899ef97db
SHA1

3fa7e92c999e6b575fe9b48c220a8d3b7d1a95c7
SHA256

6a15746ec8c07fcc5f10e6cc85049b44be07824bd6c66aeb45994d3274c7fa25
SHA512

5d1ae06c4489c0022a32809d2dd8d53ef374d96c08a244673f86586f95f662363b7912784c40e4e0d4c3e0beec6a938b847212d528501916d4bf19b790804b3a
SSDEEP

1536:c+YK6Q5CXMFR+W45mc8M+kGsIhMMa7Yc4Givd1HiTpq:KY5C8W3cFhNCWcpq

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pot\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020810-0000-0000-C000-000000000046}\PersistentHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\ = "Microsoft Office Filter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\PersistentHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pot	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xls	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA7BAE70-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xls\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA7BAE71-FB3B-11CD-A903-00AA00510EA3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlc\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dot\PersistentHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\ = "Microsoft Office Persistent Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pps\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlc	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32\ = "OffFilt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020810-0000-0000-C000-000000000046}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pps\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlc\PersistentHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlt\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA7BAE71-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020810-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xls\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\PersistentAddinsRegistered	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\PersistentHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dot\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlb\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pps	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\PersistentHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlb	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlt\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA7BAE70-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pot\PersistentHandler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}\ = "{f07f3920-7b8c-11cf-9be8-00aa004b9986}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2976	4540	regsvr32.exe	82
PID 4540 wrote to memory of 2976	4540	regsvr32.exe	82
PID 4540 wrote to memory of 2976	4540	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\816e97b8ad62f096c6c02ae899ef97db_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\816e97b8ad62f096c6c02ae899ef97db_JaffaCakes118.dll
  2⤵
  - Modifies registry class
  PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-1-0x0000000019672000-0x0000000019673000-memory.dmp

Filesize
4KB

Download
memory/2976-0-0x0000000019640000-0x0000000019674000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads