d84965fbb96731f74a51fbfcdfaaed4da21c396e501dd47466fe58f58c2cf4cb

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe
Size

9.0MB
MD5

b588fc95e949a6039a66bf6cdc8cdd1c
SHA1

6aab27f94dbd1e1e4180c3a067d0e5715dae752d
SHA256

d84965fbb96731f74a51fbfcdfaaed4da21c396e501dd47466fe58f58c2cf4cb
SHA512

9e84eea36f4e2d138a8cc1705073b86745006aff3ae0f62114da1fbb6f30ba067330cc93496a168a0d860063565680fb4b2dec65a63a794ab04564c254a7f59e
SSDEEP

196608:K0mXuX+JJW1Qh5NnlmXHYIXb0prqN1PIUWQupXrcBoMIB+IHJFDYR96/:K0m0+Jss3lmXHNXirqNLWQAbcBoMIB+i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3084	Soda_PDF_8_Installer.exe

Loads dropped DLL 2 IoCs

pid	Process
1432	regsvr32.exe
4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\ = "StartItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD0796F7-CC0A-4353-A385-628CEAB598EB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1FCE31A-4DE7-4573-92EF-33AD14E3EECB}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0DC0864-A07F-4BFB-9FA5-54B76764CB4F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC300F7-DC0D-4640-BFBF-F6458815C205}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\AppID = "{53A998CB-A5C7-467E-BC47-30BCABB50766}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FC8865-E5C6-492D-8044-CBF135C63F61}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E72F452B-0034-4DCB-8648-91697629961B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADFA580A-3B17-4614-876C-8A425AAF60DD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD03845A-7BF4-426B-A04B-0498B94425FF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC0BAD05-E77D-4A9C-B8B0-CF57D6B55E07}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AAA9A07E-68FF-4215-84F2-96115976F786}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\ = "CancelDataStruct Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AAA9A07E-68FF-4215-84F2-96115976F786}	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A655F7B-EBCE-4572-A6AF-F3E8C63C592E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACDD6F49-B973-40B1-B94E-BAB29DC29AEA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E72F452B-0034-4DCB-8648-91697629961B}\ = "InstallItemModule3_1 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E72F452B-0034-4DCB-8648-91697629961B}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1FCE31A-4DE7-4573-92EF-33AD14E3EECB}\ = "ISaveUserDataStruct"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6535B95-1431-47D2-B13B-3964849AC007}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0662B660-9A85-4399-8D97-06B4748158F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 8\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1FCE31A-4DE7-4573-92EF-33AD14E3EECB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 8\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB361CC1-078C-4A1C-924E-DD496D209681}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1FCE31A-4DE7-4573-92EF-33AD14E3EECB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 8\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75F3F7EC-B2ED-4851-ABF1-9F1F29D1818E}\ = "DownloadItemModule3_1 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD03845A-7BF4-426B-A04B-0498B94425FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8916339-B029-4718-A51B-A1B37714CA35}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75F3F7EC-B2ED-4851-ABF1-9F1F29D1818E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE9FDA25-5E40-466B-81E2-53D1C1979BBE}\VersionIndependentProgID\ = "Statist_Prog_Id"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0DC0864-A07F-4BFB-9FA5-54B76764CB4F}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADF45922-0441-417C-A481-6A67897BB38A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75F3F7EC-B2ED-4851-ABF1-9F1F29D1818E}\AppID = "{53A998CB-A5C7-467E-BC47-30BCABB50766}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE9FDA25-5E40-466B-81E2-53D1C1979BBE}\ProgID\ = "Statist_Prog_Id.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6535B95-1431-47D2-B13B-3964849AC007}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A655F7B-EBCE-4572-A6AF-F3E8C63C592E}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADF45922-0441-417C-A481-6A67897BB38A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0662B660-9A85-4399-8D97-06B4748158F9}\ = "IInstallItemModule3_1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6D99FA6-1383-4686-87A5-32DB9FBA1CA0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A61A211B-5D44-4D4A-BEC7-191D7B60D28A}\ProxyStubClsid32	Soda_PDF_8_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A61A211B-5D44-4D4A-BEC7-191D7B60D28A}\TypeLib\Version = "1.0"	Soda_PDF_8_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF 8\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB6D2735-3392-47E1-83D6-6ED93BD71D54}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD03845A-7BF4-426B-A04B-0498B94425FF}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADC2246C-D09B-4F9F-8D09-053946196570}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0DC0864-A07F-4BFB-9FA5-54B76764CB4F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0662B660-9A85-4399-8D97-06B4748158F9}\ = "IInstallItemModule3_1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACDD6F49-B973-40B1-B94E-BAB29DC29AEA}\ = "IStartItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA749A56-CA0A-4378-A345-BDA07D2C641E}	Soda_PDF_8_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADFA580A-3B17-4614-876C-8A425AAF60DD}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FC8865-E5C6-492D-8044-CBF135C63F61}\TypeLib\ = "{A0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC0BAD05-E77D-4A9C-B8B0-CF57D6B55E07}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E72F452B-0034-4DCB-8648-91697629961B}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe
4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3084	4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe	84
PID 4100 wrote to memory of 3084	4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe	84
PID 4100 wrote to memory of 3084	4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe	84
PID 4100 wrote to memory of 1432	4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe	85
PID 4100 wrote to memory of 1432	4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe	85
PID 4100 wrote to memory of 1432	4100	b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b588fc95e949a6039a66bf6cdc8cdd1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100
- C:\ProgramData\Soda PDF 8\Installation\Soda_PDF_8_Installer.exe
  "C:\ProgramData\Soda PDF 8\Installation\Soda_PDF_8_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3084
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF 8\Installation\Statistics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF 8\Installation\Soda_PDF_8_Installer.exe

Filesize
9.0MB

MD5
b588fc95e949a6039a66bf6cdc8cdd1c

SHA1
6aab27f94dbd1e1e4180c3a067d0e5715dae752d

SHA256
d84965fbb96731f74a51fbfcdfaaed4da21c396e501dd47466fe58f58c2cf4cb

SHA512
9e84eea36f4e2d138a8cc1705073b86745006aff3ae0f62114da1fbb6f30ba067330cc93496a168a0d860063565680fb4b2dec65a63a794ab04564c254a7f59e

Download Submit
C:\ProgramData\Soda PDF 8\Installation\Statistics.dll

Filesize
1.2MB

MD5
901a3766a227aa0e2f8186f9a332963d

SHA1
464412f88e6e1ff6a6d8be71f292b6504a9b796c

SHA256
56a0f87869bc84fcff7888d336b4c5455e3c7651ff44dd1923130d7d391e2ea4

SHA512
b788a7d35497f5297e4e205aeea3793841647de2b9302186bbcd836b0d2ae949876d8c1d3679c0e331604c7ced971347b7ff07c574f9b7e69e34ec04dddf3546

Download Submit