c139dfe6ba19f52272fc1b2149666ce41eed516d460f6f91079d497fb2f5375d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe
Size

71KB
MD5

386c079107e01242f4ff32f49c5c1c6a
SHA1

781e163f6478f88fa9c348a5e4a651692fd804e9
SHA256

c139dfe6ba19f52272fc1b2149666ce41eed516d460f6f91079d497fb2f5375d
SHA512

b0d8e1242e481d4f77cff29ede6b128600b10909cf3faa8fc37080cc96bec5900890e6adcd21a1adf6184b98e65f4289c7dd5707b6f8317a63dc609b2fc8b167
SSDEEP

1536:UHs2glCzaPWcAD2Be161tOAdZUv+O8kAzmoScpgfkEfRmGPn8mm7:UHsEzgWcADZa8GM+rzmYpgfaGPn83

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1656	regsvr32.exe
676	386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\ = "Microsoft Common Dialog Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Comdlg32.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Comdlg32.ocx"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Comdlg32.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Font Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\ = "Microsoft Common Dialog Control 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Print Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\Version = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Comdlg32.ocx, 1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Comdlg32.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Color Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\ = "Microsoft Common Dialog Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Help Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Comdlg32.ocx"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
676	386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1656	676	386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe	83
PID 676 wrote to memory of 1656	676	386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe	83
PID 676 wrote to memory of 1656	676	386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\386c079107e01242f4ff32f49c5c1c6a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s Comdlg32.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Comdlg32.ocx

Filesize
136KB

MD5
3ec0a48ed8d8a019175cfa3952ccb3b7

SHA1
075ffa431a55a272c2cdfe465ac130ab654ba9e8

SHA256
f9ecca1f6718f7ab711e3f675dce438930079ca8649f101fb41a93d85977149d

SHA512
0c51c31c0fa9d5b4909a5085bd72881c4e4867f90c0e576d5344b311f4e1d22ed7141ff359e43dcf53e8c84782bc34062c16dab04f63e73487e91b1db4cc33ca

Download Submit
memory/676-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/676-1-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/676-2-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/676-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/676-10-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads