Overview
overview
7Static
static
3245971935b...18.exe
windows7-x64
7245971935b...18.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$R0.dll
windows7-x64
1$R0.dll
windows10-2004-x64
1MYBMoneyMaker.exe
windows7-x64
1MYBMoneyMaker.exe
windows10-2004-x64
1Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 02:38
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
245971935b55a6a538adf3adfcdfb328_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
245971935b55a6a538adf3adfcdfb328_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240419-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
$R0.dll
Resource
win7-20240508-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral10
Sample
$R0.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral11
Sample
MYBMoneyMaker.exe
Resource
win7-20240611-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral12
Sample
MYBMoneyMaker.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
$R0.dll
-
Size
1.1MB
-
MD5
b8b4495dfb1ec27954358617afc1deca
-
SHA1
5f208f81e29284e037fb2495c208d3d9fd0c1768
-
SHA256
6318bcb4942df15ca631c612e5a4e94f0130b68c31bf141dedcd1a485842a0cf
-
SHA512
3d95139d857a6f558aa296eb6334037892a5abd86614dc902d9af0d9a0b92a22d4e83a0dbd365f2749243a44a4a9b759bc796aefbbc758041e499d4699fb8e6d
-
SSDEEP
12288:XvDDdvVRS3eCnipPaeQLaD7vEXtDQ6z6+YmzW8ViYE2S4niJDdn56Yd:vl6laDWy8q4npy
Score
1/10
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1D14AA5-EFDF-45A8-AEEF-24C131068D1E}\ = "__cHTMLDocument" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A95AAA6-395E-4682-9D0B-5F17DBECD78B}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87EBC30C-C561-435E-BF07-28877C3623D3}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49CEFEBD-DDAD-4C44-8F03-4B3943B826D4}\ = "cURL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EDD03FD-6899-457C-ACD4-4E8F19A3EBF5}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A1DD5A7-3722-4E0C-9845-6F1B6EED4B92}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1D14AA5-EFDF-45A8-AEEF-24C131068D1E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87EBC30C-C561-435E-BF07-28877C3623D3}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll, 30000" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cHTTPHeaders\ = "Holds & Manipulates HTTP Headers" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cHTTPCookies\ = "axHTTP.cHTTPCookies" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EDD03FD-6899-457C-ACD4-4E8F19A3EBF5}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F58CBF6-7726-4007-8BCB-CC81A8AB5FB2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD67D2EE-0EEA-4213-B1AF-F5D48F5308D8}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49CEFEBD-DDAD-4C44-8F03-4B3943B826D4}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F58CBF6-7726-4007-8BCB-CC81A8AB5FB2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A1DD5A7-3722-4E0C-9845-6F1B6EED4B92}\TypeLib\Version = "12.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A95AAA6-395E-4682-9D0B-5F17DBECD78B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2BAEF208-4E28-4FE2-BCC9-28E1C744F852}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35E0E645-A382-4FAD-8F03-0F6C8CAEF51B}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA578B3F-07EA-49B2-BACB-250D19576581}\VERSION regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{638B9B89-B27D-4293-A30F-D432A7D2444F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cZLIB\ = "axHTTP.cZLIB" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E31075-1091-44A7-BFE0-C6AF8EE6FEEE}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EDD03FD-6899-457C-ACD4-4E8F19A3EBF5}\ProgID\ = "axHTTP.cHTMLDocument" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cHTMLDocument\Clsid\ = "{3EDD03FD-6899-457C-ACD4-4E8F19A3EBF5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A21F307-D075-449F-BCCA-E6E46E9994E7}\ProxyStubClsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E31075-1091-44A7-BFE0-C6AF8EE6FEEE}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cZLIB\Clsid\ = "{44E31075-1091-44A7-BFE0-C6AF8EE6FEEE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EDD03FD-6899-457C-ACD4-4E8F19A3EBF5}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1221F91-23EA-4618-B18A-66788457C32C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{638B9B89-B27D-4293-A30F-D432A7D2444F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A21F307-D075-449F-BCCA-E6E46E9994E7}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F58CBF6-7726-4007-8BCB-CC81A8AB5FB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A1DD5A7-3722-4E0C-9845-6F1B6EED4B92}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E7EECA7-F5AA-4469-9F11-672142374D72}\ProxyStubClsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD67D2EE-0EEA-4213-B1AF-F5D48F5308D8}\VERSION regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41FAD21C-CE17-4859-BE23-645C1F2E8475}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A60EF82-3F8E-44C8-86F2-25B586762E6B}\12.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A95AAA6-395E-4682-9D0B-5F17DBECD78B}\ = "__cHTTPCookies" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87EBC30C-C561-435E-BF07-28877C3623D3}\MiscStatus\1\ = "132497" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35E0E645-A382-4FAD-8F03-0F6C8CAEF51B}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F58CBF6-7726-4007-8BCB-CC81A8AB5FB2}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49CEFEBD-DDAD-4C44-8F03-4B3943B826D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cHTTPCookies regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A60EF82-3F8E-44C8-86F2-25B586762E6B}\12.0\ = "TKPS HTTP Transfer Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1D14AA5-EFDF-45A8-AEEF-24C131068D1E}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.HTTP regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35E0E645-A382-4FAD-8F03-0F6C8CAEF51B}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E31075-1091-44A7-BFE0-C6AF8EE6FEEE}\ProgID\ = "axHTTP.cZLIB" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1221F91-23EA-4618-B18A-66788457C32C}\ = "_cZLIB" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87EBC30C-C561-435E-BF07-28877C3623D3}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35E0E645-A382-4FAD-8F03-0F6C8CAEF51B}\VERSION regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A21F307-D075-449F-BCCA-E6E46E9994E7}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A95AAA6-395E-4682-9D0B-5F17DBECD78B}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{638B9B89-B27D-4293-A30F-D432A7D2444F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A1DD5A7-3722-4E0C-9845-6F1B6EED4B92}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD67D2EE-0EEA-4213-B1AF-F5D48F5308D8}\ProgID\ = "axHTTP.cURL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49CEFEBD-DDAD-4C44-8F03-4B3943B826D4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD67D2EE-0EEA-4213-B1AF-F5D48F5308D8}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E31075-1091-44A7-BFE0-C6AF8EE6FEEE}\TypeLib\ = "{4A60EF82-3F8E-44C8-86F2-25B586762E6B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\axHTTP.cHTMLDocument\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA578B3F-07EA-49B2-BACB-250D19576581}\ProgID\ = "axHTTP.cHTTPHeaders" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A1DD5A7-3722-4E0C-9845-6F1B6EED4B92}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1D14AA5-EFDF-45A8-AEEF-24C131068D1E} regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4984 wrote to memory of 4588 4984 regsvr32.exe 82 PID 4984 wrote to memory of 4588 4984 regsvr32.exe 82 PID 4984 wrote to memory of 4588 4984 regsvr32.exe 82