661dfdd9c08dae4de0136bc3470f677bfe62b2db4f4799fea5a1a79f361fbb7d

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 16:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe
Size

746KB
MD5

4a810d8a72fa0033fa4922354a1c6c85
SHA1

3e1f7ba328e80234e757b1b85b66afb99154b360
SHA256

661dfdd9c08dae4de0136bc3470f677bfe62b2db4f4799fea5a1a79f361fbb7d
SHA512

4aeae1ea1cf63c7daf542686249cd284b56ad4d9721ec157358661d28ccb02312e2571603f62d5d9ba742a94f7a34d711cc35b15e2a89d0dc759d547a8a74dfb
SSDEEP

12288:autrzh9xOXkKNj17cGK0S+j7rzGrK4jOxAjk447VjT56QNxu8CNMeiOKdhepQpbj:autr5OUK9+FB+vfo698rNMe7shrVD

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
672	nsload.exe
580	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe
2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe
672	nsload.exe
672	nsload.exe
2744	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015d39-15.dat	upx
behavioral1/memory/672-24-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/672-37-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSCMCKO.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MSCMCKO.DLL	cmd.exe
File created	C:\Windows\SysWOW64\VB6KO.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\VB6KO.DLL	cmd.exe
File created	C:\Windows\SysWOW64\INETKO.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\INETKO.DLL	cmd.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ImageListCtrl.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\ = "Microsoft StatusBar Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ProgCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl\ = "Microsoft StatusBar Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.SBarCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CLSID\ = "{1EFB6596-857C-11D1-B16A-00C0F0283628}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CLSID\ = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\ = "Microsoft ListView Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\CLSID\ = "{8E3867A3-8586-11D1-B16A-00C0F0283628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ListViewCtrl.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ = "IImageCombo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX, 16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}	regsvr32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 2004 wrote to memory of 672	2004	4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe	28
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 672 wrote to memory of 580	672	nsload.exe	29
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 580 wrote to memory of 936	580	b2e.exe	30
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2744	936	cmd.exe	32
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 936 wrote to memory of 2712	936	cmd.exe	33
PID 580 wrote to memory of 2764	580	b2e.exe	34
PID 580 wrote to memory of 2764	580	b2e.exe	34
PID 580 wrote to memory of 2764	580	b2e.exe	34
PID 580 wrote to memory of 2764	580	b2e.exe	34
PID 580 wrote to memory of 2764	580	b2e.exe	34
PID 580 wrote to memory of 2764	580	b2e.exe	34
PID 580 wrote to memory of 2764	580	b2e.exe	34

C:\Users\Admin\AppData\Local\Temp\4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a810d8a72fa0033fa4922354a1c6c85_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\temp\xfile\nsload.exe
  "C:\temp\xfile\nsload.exe" ???.zip
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\CC73.tmp\b2e.exe
    "C:\Users\Admin\AppData\Local\Temp\CC73.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CC73.tmp\b2e.exe c:\temp\xfile "C:\temp\xfile\nsload.exe" ???.zip
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCC1.tmp\batfile.bat" ???.zip "
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\system32\MSINET.OCX"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2744
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\system32\MSCOMCTL.OCX"
        5⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
      4⤵
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCC1.tmp\batfile.bat

Filesize
694B

MD5
df01f14f6c91b570ee5d2df701303a1d

SHA1
494394871c118ebe035c75bebc38d025d24d3830

SHA256
241918c269f38492c7706fafff2a6924c0e7b5e5ecf98fe12c6ea7e1c558cd2e

SHA512
56aae1400c44f037cb5e7dcd419f704c06bd102bd15b9a87ab84b7e0c582526206f298830d52a113dfba8f1a6eb54902569650ae14702dea8b1583592eb03865

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
f5a9d7a038a108dbf51b9ac78debf426

SHA1
e41035b2d82e83383654af3c2a6a4512e912cd5f

SHA256
758a069161fe3d2c73b4e6beb63eae43d420659af013c17197ecb64054d92b98

SHA512
4ff4bb121f909b14ca2fa6f47c384df0994e3fb1cfebe573ce6a9491c2b4ab2ff3c5dbf65dcc7598e7e8e7624dbed6227f270e8909b9d3a2ed91714d689d5284

Download Submit
C:\temp\xfile\INETKO.DLL

Filesize
13KB

MD5
19e49c4802e54762f613cc3fd5c240c9

SHA1
cee468cfd04f12a9fcaa9549fd4e533afc745da4

SHA256
6672e7889d5671716182b4723963a7a5354731563eb5abb67c19a3f6e79f4d8b

SHA512
96bc601aa00395b902ef2361e863d09c828cda1a83f97b4031a8cf2f3f971c072097b1b3e8fa47a2c4ba8b945d79d9e240504aad239aafbe307ad13164f950a5

Download Submit
C:\temp\xfile\MSCMCKO.DLL

Filesize
121KB

MD5
1aedbff4f92aa576b0389deee971dc3c

SHA1
8814275b1ac156e7fd247f0a4071e62d247760c0

SHA256
7713469fb22fef9d711b3822f1df02e045d586ac06a4107a228a96e864da0a3f

SHA512
47d890b1e5bb71980c72079be5ebc7e491141b6465a91e047a47e4f163ff95e828c358e0f95abec1a73d47b3a866890d25ca48a625d60f939a829753a885f564

Download Submit
C:\temp\xfile\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\temp\xfile\VB6KO.DLL

Filesize
99KB

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
\Users\Admin\AppData\Local\Temp\CC73.tmp\b2e.exe

Filesize
9KB

MD5
5ab621cc157c3db0b5048beb4095d36d

SHA1
4dbd2370c0ac1c3114a83c9d6df2cd6b480da769

SHA256
85de42327eeb2121e53dbd0c3649968b74416539a8b5243ec87fba7a7ab16336

SHA512
fb82ac72e7010840ad63fd43e850cc4e23d6e2a6ed797bb9f9dccc9d033b040824ff452da9391647a4e7ad0f9a7dcfa77141190fce8c2a85b2778cacf3c47935

Download Submit
\temp\xfile\nsload.exe

Filesize
8KB

MD5
51c85608127ca73eb995d1c7e7a6463f

SHA1
24b1bc530c114fc45882acf74f97944886bfcdb5

SHA256
df261be2e5a94f6829ce8ccc28357b39ea2938b2805bceb5076a2a08dc45e46f

SHA512
ef7b60368b15815243e6809b715e856a5be819bded2e004474b2e07b9b95915598d8bc356270f48497a7df0f5225eeda13de78282b2ae432d0e04a672f2a0667

Download Submit
memory/580-40-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/580-77-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-32-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/672-34-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/672-37-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/672-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2004-22-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2004-21-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download