Overview
overview
7Static
static
70e143d9728...18.exe
windows7-x64
70e143d9728...18.exe
windows10-2004-x64
7$COMMONFIL...og.dll
windows7-x64
4$COMMONFIL...og.dll
windows10-2004-x64
4$COMMONFIL...n7.dll
windows7-x64
3$COMMONFIL...n7.dll
windows10-2004-x64
1$COMMONFIL...st.exe
windows7-x64
1$COMMONFIL...st.exe
windows10-2004-x64
1$COMMONFIL...m.html
windows7-x64
1$COMMONFIL...m.html
windows10-2004-x64
1$COMMONFIL...xt.dll
windows7-x64
1$COMMONFIL...xt.dll
windows10-2004-x64
1$COMMONFIL...an.dll
windows7-x64
1$COMMONFIL...an.dll
windows10-2004-x64
1$COMMONFIL...fe.dll
windows7-x64
6$COMMONFIL...fe.dll
windows10-2004-x64
6$COMMONFIL...an.dll
windows7-x64
1$COMMONFIL...an.dll
windows10-2004-x64
3$COMMONFIL...fe.dll
windows7-x64
3$COMMONFIL...fe.dll
windows10-2004-x64
3$COMMONFIL...fa.exe
windows7-x64
1$COMMONFIL...fa.exe
windows10-2004-x64
3$COMMONFIL...rl.dll
windows7-x64
1$COMMONFIL...rl.dll
windows10-2004-x64
1$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDIR/OnTop.dll
windows7-x64
1$PLUGINSDIR/OnTop.dll
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 12:30
Behavioral task
behavioral1
Sample
0e143d9728a748ba6e77beeea8c2ed7e_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral2
Sample
0e143d9728a748ba6e77beeea8c2ed7e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$COMMONFILES/Angels/AgLog.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
$COMMONFILES/Angels/AgLog.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$COMMONFILES/Angels/Agwin7.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$COMMONFILES/Angels/Agwin7.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$COMMONFILES/Angels/AngelAsst.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral8
Sample
$COMMONFILES/Angels/AngelAsst.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$COMMONFILES/Angels/IE360.htm.html
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral10
Sample
$COMMONFILES/Angels/IE360.htm.html
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$COMMONFILES/Angels/IEMenuExt.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
$COMMONFILES/Angels/IEMenuExt.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$COMMONFILES/Angels/IEScan.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$COMMONFILES/Angels/IEScan.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$COMMONFILES/Angels/IEsafe.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$COMMONFILES/Angels/IEsafe.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$COMMONFILES/Angels/Scan.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral18
Sample
$COMMONFILES/Angels/Scan.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$COMMONFILES/Angels/WebSafe.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral20
Sample
$COMMONFILES/Angels/WebSafe.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$COMMONFILES/Angels/go114fa.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral22
Sample
$COMMONFILES/Angels/go114fa.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$COMMONFILES/Angels/xFoCtrl.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral24
Sample
$COMMONFILES/Angels/xFoCtrl.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/OnTop.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/OnTop.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
$COMMONFILES/Angels/xFoCtrl.dll
-
Size
161KB
-
MD5
c36c9659941e30c5a296421250f4ce74
-
SHA1
b4dfd3a90798474108e061fa4130581171679d40
-
SHA256
76f33de89d28c74c9e90939fcaf2aefc860c479e2e494986b4a75783957ea956
-
SHA512
328faadfb244761ee860dcfa2913900f790510e16f4799fc6c49a5a57d0f7796718655472224a6d004d2a570c0f6492dd0549a49d6759496662c9120776e8a8b
-
SSDEEP
3072:g8nvO1B0Rn+rXBllu2jMLaj6ocVkTpS+lsOJx1j:Fnv9Rn+/faPbeIjsj
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject\CurVer\ = "XFlashObjectCtrl.XFlashObject.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject\CLSID\ = "{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\TypeLib\ = "{2BA68F98-26E2-4070-8462-F52F04DF1219}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject.1\ = "XFlashObject Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\ = "XFlashObject Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$COMMONFILES\\Angels\\xFoCtrl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\ = "IXFlashObject" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\ = "IXFlashObject" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\ = "_IXFlashObjectEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject.1\CLSID\ = "{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject\ = "XFlashObject Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\VersionIndependentProgID\ = "XFlashObjectCtrl.XFlashObject" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$COMMONFILES\\Angels\\xFoCtrl.dll, 101" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\ = "_IXFlashObjectEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA68F98-26E2-4070-8462-F52F04DF1219}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$COMMONFILES\\Angels\\xFoCtrl.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\TypeLib\ = "{2BA68F98-26E2-4070-8462-F52F04DF1219}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\TypeLib\ = "{2BA68F98-26E2-4070-8462-F52F04DF1219}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CA5A5BB-E1E2-4C22-B8C7-5C15D7C6D1ED}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65575D9C-B33A-4172-91B2-C12628DDC05C}\TypeLib\ = "{2BA68F98-26E2-4070-8462-F52F04DF1219}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XFlashObjectCtrl.XFlashObject.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5B8CE58-BF6B-4A75-9E7F-4D7BED570B6E}\ProgID\ = "XFlashObjectCtrl.XFlashObject.1" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28 PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28 PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28 PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28 PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28 PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28 PID 2496 wrote to memory of 1656 2496 regsvr32.exe 28