cb42fc8118ce35624de2779e9aa91f078a7c473b6d69c23cf41e1352c31da327

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 04:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1b1050019296f46ff1bb6786908471e_JaffaCakes118.dll
Size

6.9MB
MD5

e1b1050019296f46ff1bb6786908471e
SHA1

2290f8c6ffd8df994b623d6610e2296722787bd2
SHA256

cb42fc8118ce35624de2779e9aa91f078a7c473b6d69c23cf41e1352c31da327
SHA512

3f233c5b020fd2e68e83fec71c81a13a131a7911b563c793a6efe7904ee6318c11723e4e3b2e55277499a4b994d3c1c641f28e16f91617b718fb6c2c302f8d0e
SSDEEP

49152:PbE1/4iYll93tUyWoPdXRN966/VjFzpzxngMq1khWOAxFKKUa3iY1u8xfjMCHD57:P+APBt/d1bQ1dIYEwD50nFfr1xlbru

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "10000"	regsvr32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\ = "IMSOfficeAddin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER\CurVer\ = "WordAddinPH.FpcWordAddinPER.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\TypeLib\ = "{443B8102-3970-4E22-BF70-6F7B366583E8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\TypeLib\ = "{443B8102-3970-4E22-BF70-6F7B366583E8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1b1050019296f46ff1bb6786908471e_JaffaCakes118.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\TypeLib\ = "{443B8102-3970-4E22-BF70-6F7B366583E8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\ = "IWordAddinPHPER"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1b1050019296f46ff1bb6786908471e_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER\CLSID\ = "{D365DB39-AE9A-4699-B643-52624E115352}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\TypeLib\ = "{443B8102-3970-4E22-BF70-6F7B366583E8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\ = "IWordAddinPHPER"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\ = "IMSOfficeAddin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\ = "WordAddinPHPER Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\TypeLib\ = "{443B8102-3970-4E22-BF70-6F7B366583E8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER.1\ = "WordAddinPHPER Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D365DB39-AE9A-4699-B643-52624E115352}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B8102-3970-4E22-BF70-6F7B366583E8}\1.0\ = "WordAddin_PHPERLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31043BFF-258C-46C1-BAED-2D62B4E326FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER.1\CLSID\ = "{D365DB39-AE9A-4699-B643-52624E115352}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WordAddinPH.FpcWordAddinPER\ = "WordAddinPHPER Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B7673B1-FAB0-48E5-904E-1A9FDBCE226B}\ProxyStubClsid32	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e1b1050019296f46ff1bb6786908471e_JaffaCakes118.dll
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads