Overview
overview
7Static
static
305df8d890e...18.exe
windows7-x64
705df8d890e...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ib.dll
windows7-x64
3$PLUGINSDI...ib.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$R0.dll
windows7-x64
1$R0.dll
windows10-2004-x64
1$R2/NSIS.L...2_.exe
windows7-x64
1$R2/NSIS.L...2_.exe
windows10-2004-x64
1$SYSDIR/DWSHK80.dll
windows7-x64
1$SYSDIR/DWSHK80.dll
windows10-2004-x64
1$SYSDIR/MSVBVM60.dll
windows7-x64
1$SYSDIR/MSVBVM60.dll
windows10-2004-x64
1$SYSDIR/VB6KO.dll
windows7-x64
1$SYSDIR/VB6KO.dll
windows10-2004-x64
1$SYSDIR/dwsbc80.dll
windows7-x64
1$SYSDIR/dwsbc80.dll
windows10-2004-x64
1$SYSDIR/dw...80.dll
windows7-x64
1$SYSDIR/dw...80.dll
windows10-2004-x64
1UrlUpdate.exe
windows7-x64
7UrlUpdate.exe
windows10-2004-x64
7efbbar.dll
windows7-x64
1efbbar.dll
windows10-2004-x64
1efsbar.dll
windows7-x64
1efsbar.dll
windows10-2004-x64
1iewindow.exe
windows7-x64
1iewindow.exe
windows10-2004-x64
1nnlogon.exe
windows7-x64
1nnlogon.exe
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
05df8d890eb18614a7d206b41453d306_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
05df8d890eb18614a7d206b41453d306_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/TypeLib.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/TypeLib.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$R0.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral10
Sample
$R0.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$R2/NSIS.Library.RegTool.v3.$_2_.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral12
Sample
$R2/NSIS.Library.RegTool.v3.$_2_.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$SYSDIR/DWSHK80.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$SYSDIR/DWSHK80.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$SYSDIR/MSVBVM60.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral16
Sample
$SYSDIR/MSVBVM60.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$SYSDIR/VB6KO.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral18
Sample
$SYSDIR/VB6KO.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$SYSDIR/dwsbc80.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
$SYSDIR/dwsbc80.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$SYSDIR/dwshengine80.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral22
Sample
$SYSDIR/dwshengine80.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
UrlUpdate.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral24
Sample
UrlUpdate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
efbbar.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral26
Sample
efbbar.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
efsbar.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
efsbar.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
iewindow.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral30
Sample
iewindow.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
nnlogon.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral32
Sample
nnlogon.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
$R0.dll
-
Size
174KB
-
MD5
3984956c55c48b8822e908df7fe019fd
-
SHA1
2e68f7b39e9ba71aa673c54ebbad7233218590d9
-
SHA256
1003a84d5e1e35e0873ed0b6ed184e7348480184beeb714ee0e65107edfdbb3e
-
SHA512
44180b1705b60782a5bb7ff3f371ab55de7c012006e8659a15af03f35dfe15729493083de03047d12898248f5802f2f4f4759eef0dcece4bee92f0153c40172e
-
SSDEEP
3072:pdNVHMZC51dzABC8e/zTqqfiZIE8+i8nyP2PaxxG9p:phsATqqiZIEHyeizGv
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D00D2AA-A077-4914-A046-62E2A7BA9C11}\ = "IURLHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C48E43A2-A7B7-4293-A13A-F4B29158A0BB}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{323EDAF0-DD73-47E1-9C77-76261365F2A6}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.ISubclass regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}\ = "_IURLHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ = "_CTimer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib\Version = "415.4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\TypeLib\Version = "415.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CSBCriterion\Clsid\ = "{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{149BD92F-B28E-4C04-8B4D-46CDD176B7E4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\ProxyStubClsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{323EDAF0-DD73-47E1-9C77-76261365F2A6}\VERSION regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\ = "_GSubclass" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\ProgID\ = "ntmURL.CSBCriteria" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\ProgID\ = "ntmURL.IInputObjectCallback" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C48E43A2-A7B7-4293-A13A-F4B29158A0BB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\ProxyStubClsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ = "_CTimer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\ = "_GSubclass" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\TypeLib\Version = "415.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\VERSION\ = "1045.4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD708967-6D59-4C25-90CE-22C6C7B1B9CE}\ProxyStubClsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.IURLHelper regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\TypeLib\Version = "415.4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CSBCriterion regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\ = "_ISubclass" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\Forward\ = "{FA496C82-EF15-498A-9281-71C17D2E83B1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\ProxyStubClsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7BFE371-AB4F-48A9-8E4B-746CDC3377F0}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\ = "_CSBCriterion" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\VERSION regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.IInputObjectCallback\ = "ntmURL.IInputObjectCallback" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6E6B197-9348-449E-A149-384B208874B1}\415.4 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4556 wrote to memory of 4220 4556 regsvr32.exe 83 PID 4556 wrote to memory of 4220 4556 regsvr32.exe 83 PID 4556 wrote to memory of 4220 4556 regsvr32.exe 83