592ad8f762a9456c35092f9ba8efb308f2720579f7aa5c2fd8c2d8aa8a284468

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e3ae42a1b148c3f1f939957c22bdd97_JaffaCakes118.dll
Size

220KB
MD5

5e3ae42a1b148c3f1f939957c22bdd97
SHA1

f5c7b9109b710d45bc1d3f49a195b2e9fb2d5ecf
SHA256

592ad8f762a9456c35092f9ba8efb308f2720579f7aa5c2fd8c2d8aa8a284468
SHA512

595a81e214a0edc8ba765336ed56852b44956a10a0ef8d686ca02c6c57f05c25aaee11522896c714d3f2c4e72dcc01deb60212ec0b36fe2a9cced61e502861fc
SSDEEP

3072:HtpPHZQtckqwyznOKGEWnifIZYJQZkpR6hIkMtT/FgqdZQFmg5+2vQbe:Np2txyz/GHi6BZkpSMtRhwFTbvQbe

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	regsvr32.exe

Loads dropped DLL 5 IoCs

pid	Process
2160	regsvr32.exe
2936	rundll32.exe
2936	rundll32.exe
2936	rundll32.exe
2160	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32"	regsvr32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\PROGRA~2\3721\i3721res.dat	regsvr32.exe
File created	C:\PROGRA~2\3721\3721\helper.dll	regsvr32.exe
File created	C:\PROGRA~2\3721\3721\cns01.dat	regsvr32.exe
File created	C:\PROGRA~2\3721\cns01.dat	regsvr32.exe
File opened for modification	C:\PROGRA~2\3721\cns01.dat	regsvr32.exe
File created	C:\PROGRA~2\3721\helper.dll	regsvr32.exe
File created	C:\PROGRA~2\3721\autolive.dll	regsvr32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\autolive.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\PROGRA~2\\3721\\autolive.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2780 wrote to memory of 2160	2780	regsvr32.exe	30
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31
PID 2160 wrote to memory of 2936	2160	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3ae42a1b148c3f1f939957c22bdd97_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\5e3ae42a1b148c3f1f939957c22bdd97_JaffaCakes118.dll
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\3721\helper.dll

Filesize
44KB

MD5
025d30ec1875510defb35706699db2fc

SHA1
ebdadbf85db72b28b41e1b6f90e6a28fa5f92a7c

SHA256
dcd7f2861bc42728ce18a0397717f4853f28a7cb1139c43ef2ad34a5c605dfef

SHA512
96c9025abb7a1121b28be31b18b63a06fecbe5f769da8e69e507570bdbe55c1dd75653d0b0ff70e86798bbc2f78e4ac392cde4579fca0f71a29c689c7a2f9f88

Download Submit
\PROGRA~2\3721\autolive.dll

Filesize
220KB

MD5
5e3ae42a1b148c3f1f939957c22bdd97

SHA1
f5c7b9109b710d45bc1d3f49a195b2e9fb2d5ecf

SHA256
592ad8f762a9456c35092f9ba8efb308f2720579f7aa5c2fd8c2d8aa8a284468

SHA512
595a81e214a0edc8ba765336ed56852b44956a10a0ef8d686ca02c6c57f05c25aaee11522896c714d3f2c4e72dcc01deb60212ec0b36fe2a9cced61e502861fc

Download Submit
memory/2160-15-0x0000000000210000-0x0000000000249000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads