2e8fdc98ccd4ec2888b43c6e2f40da8fd92e793df251b73c6a2172cf8f8c69af

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 10:20

Target

4565fc7b16630ed202e2750eadabee3d_JaffaCakes118.dll
Size

86KB
MD5

4565fc7b16630ed202e2750eadabee3d
SHA1

302572d61c7ca57efb567b9796f4d026ad119549
SHA256

2e8fdc98ccd4ec2888b43c6e2f40da8fd92e793df251b73c6a2172cf8f8c69af
SHA512

e0f7f013f0d65edff1b5bfe5bb82f4768c5073625dea8d6bcd7739b8d4727ca22a3ab1258cc3cddcc3fbfbc611eb0cc5e81b95b9e873f799484fcaf985a47d66
SSDEEP

1536:cUWB3oJSJveJccFICRHlmnvr5S7DGLQ7kX79fg90vb1+tSosyPNHPCOfG9cGR8yS:cUWKJ6wVIoFmY76L9p5+tSolPdPpDO8L

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1914F0-4D5D-4798-92E3-9E7A70C3900D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1914F0-4D5D-4798-92E3-9E7A70C3900D}\ = "4565fc7b16630ed202e2750eadabee3d_JaffaCakes118"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1914F0-4D5D-4798-92E3-9E7A70C3900D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1914F0-4D5D-4798-92E3-9E7A70C3900D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4565fc7b16630ed202e2750eadabee3d_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1914F0-4D5D-4798-92E3-9E7A70C3900D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3008	4764	regsvr32.exe	83
PID 4764 wrote to memory of 3008	4764	regsvr32.exe	83
PID 4764 wrote to memory of 3008	4764	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4565fc7b16630ed202e2750eadabee3d_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4565fc7b16630ed202e2750eadabee3d_JaffaCakes118.dll
  2⤵
  - Modifies registry class
  PID:3008

memory/3008-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-2-0x000000000043B000-0x000000000043C000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-3-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download