dbe26c63cc97b46646230802e7117e3c91326499242fcb0b7cb63702e796a834

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 01:50

Target

2439f53ed8769b5a99e17f4afb46da9f_JaffaCakes118.dll
Size

52KB
MD5

2439f53ed8769b5a99e17f4afb46da9f
SHA1

1d52ceb55afa524b0910f16e6aa560e86a658022
SHA256

dbe26c63cc97b46646230802e7117e3c91326499242fcb0b7cb63702e796a834
SHA512

d97d475d1e64e8226bf20bf0ea642a2b32736b04d8162f283442e4a1326bbcb4b96c8303bc473ab217c11b4c418492fe8afba117fc077a39799f4a4b0935689c
SSDEEP

1536:mHhncLFASZXtYcw/cATiRk2A58HNEHxj52uqao6:mIZXhMCE9528o6

Score

1^/10

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YÛ#ûÒå\?ó8†Ê™‰±.É¨Ü”›ÎÓÂ9w†qòæ8Å·Ê”©Þ”Ý™#$± = ".É\x05¨Ü”›ÎÓÂ\u008d9w†qòæ\x05\x1b\x1e8Å\x10·Ê”©Þ”Ý™#$±"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YÛ#ûÒå\ = "8Ó\x11»â\u0081ƒÑ´ÞŸ)B"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YÛ#ûÒå\ = "\x18×\f¦Õž‘†œÏˆ\|sŸ\|÷Ñ"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\!ú2‰û§ÞÒãƒ)È/½OPwä’P¶Ò¿Ã‘‚Ï†Ì¯ãŠ•bQnÔä-ò=˜È“¥ø¨ä¨*é–šyceøò9ñ™ñ¢Ð	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\!ú2‰û§ÞÒãƒ)È/½OPwä’P¶Ò¿Ã‘‚Ï†Ì¯ãŠ•bQnÔä-ò=˜È“¥ø¨ä¨*é–šyceøò9ñ™ñ¢Ð\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2439f53ed8769b5a99e17f4afb46da9f_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VÔ,ôÝ¶ÏÃà	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VÔ,ôÝ¶ÏÃà\ = "Pƒ\x02ŒŠ˜É±4Å\x1b¾Æ…ŸÂ”ÜŽ!2Ã["	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YÛ#ûÒå	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28
PID 2884 wrote to memory of 2956	2884	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2439f53ed8769b5a99e17f4afb46da9f_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2439f53ed8769b5a99e17f4afb46da9f_JaffaCakes118.dll
  2⤵
  - Modifies registry class
  PID:2956