Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 08:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
66e4a2234a266c586a68db553154687f_JaffaCakes118.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
66e4a2234a266c586a68db553154687f_JaffaCakes118.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
66e4a2234a266c586a68db553154687f_JaffaCakes118.dll
-
Size
244KB
-
MD5
66e4a2234a266c586a68db553154687f
-
SHA1
60405ba8c268f2a6ba3c966b524e77129a019174
-
SHA256
76caf64fd49e7475b7d9c352e4ac2308699bd629f132d8d8717eef34a80f7e6a
-
SHA512
1171615e34f922a731aca4ff7edcde3b34c8f7a4b246827c26849e7b5e1e94753a9c764f0a0cdff4031543415393cfa27a1137456cc79c51024a30fa28d94600
-
SSDEEP
6144:3/TXHO38rCvC4KBS8BBaLWU3tAAqQzkSFVtev3RaCtrc/j3:vTXHO38rCvC4K0maLWU3O3rvRnto/7
Score
1/10
Malware Config
Signatures
-
Modifies registry class 12 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\VBSFILE\SCRIPTHOSTENCODE regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1508 wrote to memory of 3892 1508 regsvr32.exe 84 PID 1508 wrote to memory of 3892 1508 regsvr32.exe 84 PID 1508 wrote to memory of 3892 1508 regsvr32.exe 84
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\66e4a2234a266c586a68db553154687f_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\66e4a2234a266c586a68db553154687f_JaffaCakes118.dll2⤵
- Modifies registry class
PID:3892
-