Analysis Overview
SHA256
d9e42e981974d8e0a4ae25dd92378b24fb8460b9b0178fabeb5a00214ed508e4
Threat Level: Shows suspicious behavior
The file 0307dc2b359e25772cedda86d9e5c874_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Writes to the Master Boot Record (MBR)
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 22:30
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 22:30
Reported
2024-06-23 22:33
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 1732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll
Network
Files
memory/1732-0-0x0000000074650000-0x0000000074697000-memory.dmp
memory/1732-1-0x0000000000220000-0x0000000000250000-memory.dmp
memory/1732-2-0x0000000000210000-0x0000000000213000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 22:30
Reported
2024-06-23 22:33
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1144 wrote to memory of 2272 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1144 wrote to memory of 2272 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1144 wrote to memory of 2272 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/2272-0-0x0000000074BE0000-0x0000000074C27000-memory.dmp
memory/2272-1-0x0000000000AF0000-0x0000000000B20000-memory.dmp
memory/2272-22-0x0000000002470000-0x0000000002471000-memory.dmp
memory/2272-51-0x0000000002700000-0x0000000002701000-memory.dmp
memory/2272-50-0x00000000026E0000-0x00000000026E1000-memory.dmp
memory/2272-49-0x00000000026F0000-0x00000000026F1000-memory.dmp
memory/2272-48-0x00000000026C0000-0x00000000026C1000-memory.dmp
memory/2272-47-0x00000000026D0000-0x00000000026D1000-memory.dmp
memory/2272-46-0x00000000026A0000-0x00000000026A1000-memory.dmp
memory/2272-45-0x00000000026B0000-0x00000000026B1000-memory.dmp
memory/2272-44-0x0000000002680000-0x0000000002681000-memory.dmp
memory/2272-43-0x0000000002690000-0x0000000002691000-memory.dmp
memory/2272-42-0x0000000002660000-0x0000000002661000-memory.dmp
memory/2272-41-0x0000000002670000-0x0000000002671000-memory.dmp
memory/2272-40-0x0000000002640000-0x0000000002641000-memory.dmp
memory/2272-39-0x0000000002650000-0x0000000002651000-memory.dmp
memory/2272-38-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/2272-37-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/2272-36-0x0000000002580000-0x0000000002581000-memory.dmp
memory/2272-35-0x0000000002590000-0x0000000002591000-memory.dmp
memory/2272-34-0x0000000002560000-0x0000000002561000-memory.dmp
memory/2272-33-0x0000000002570000-0x0000000002571000-memory.dmp
memory/2272-32-0x0000000002540000-0x0000000002541000-memory.dmp
memory/2272-31-0x0000000002550000-0x0000000002551000-memory.dmp
memory/2272-30-0x0000000002520000-0x0000000002521000-memory.dmp
memory/2272-29-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2272-28-0x0000000002500000-0x0000000002501000-memory.dmp
memory/2272-27-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/2272-26-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/2272-25-0x00000000024D0000-0x00000000024D1000-memory.dmp
memory/2272-24-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/2272-23-0x00000000024B0000-0x00000000024B1000-memory.dmp
memory/2272-21-0x0000000002490000-0x0000000002491000-memory.dmp
memory/2272-20-0x0000000002450000-0x0000000002451000-memory.dmp
memory/2272-19-0x0000000002460000-0x0000000002461000-memory.dmp
memory/2272-18-0x0000000002430000-0x0000000002431000-memory.dmp
memory/2272-17-0x0000000002440000-0x0000000002441000-memory.dmp
memory/2272-16-0x0000000002410000-0x0000000002411000-memory.dmp
memory/2272-15-0x0000000002420000-0x0000000002421000-memory.dmp
memory/2272-14-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/2272-13-0x0000000002400000-0x0000000002401000-memory.dmp
memory/2272-12-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/2272-11-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/2272-10-0x00000000023A0000-0x00000000023A1000-memory.dmp
memory/2272-9-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/2272-8-0x0000000002380000-0x0000000002381000-memory.dmp
memory/2272-7-0x0000000002390000-0x0000000002391000-memory.dmp
memory/2272-6-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/2272-5-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2272-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/2272-3-0x0000000000990000-0x0000000000991000-memory.dmp
memory/2272-2-0x00000000009A0000-0x00000000009A3000-memory.dmp