Overview
overview
7Static
static
3eabe803357...18.exe
windows7-x64
5eabe803357...18.exe
windows10-2004-x64
5$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$R0.dll
windows7-x64
7$R0.dll
windows10-2004-x64
72345BatchRename.dll
windows7-x64
12345BatchRename.dll
windows10-2004-x64
12345EditorApp.dll
windows7-x64
12345EditorApp.dll
windows10-2004-x64
12345Extract.dll
windows7-x64
12345Extract.dll
windows10-2004-x64
12345Image.dll
windows7-x64
12345Image.dll
windows10-2004-x64
12345ImageApp.dll
windows7-x64
12345ImageApp.dll
windows10-2004-x64
12345ImageCapture.dll
windows7-x64
12345ImageCapture.dll
windows10-2004-x64
12345MiniPage.exe
windows7-x64
2345MiniPage.exe
windows10-2004-x64
2345PdfApp.dll
windows7-x64
12345PdfApp.dll
windows10-2004-x64
12345PdfReader.exe
windows7-x64
2345PdfReader.exe
windows10-2004-x64
2345Pic.exe
windows7-x64
2345Pic.exe
windows10-2004-x64
2345PicEditor.exe
windows7-x64
2345PicEditor.exe
windows10-2004-x64
Analysis
-
max time kernel
8s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
eabe80335778b6495bb615345c9dca08_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
eabe80335778b6495bb615345c9dca08_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FileInfo.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FileInfo.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/RCWidgetPlugin.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/RCWidgetPlugin.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$R0.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$R0.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
2345BatchRename.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
2345BatchRename.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
2345EditorApp.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
2345EditorApp.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
2345Extract.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
2345Extract.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
2345Image.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
2345Image.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
2345ImageApp.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
2345ImageApp.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
2345ImageCapture.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
2345ImageCapture.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
2345MiniPage.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
2345MiniPage.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
2345PdfApp.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
2345PdfApp.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
2345PdfReader.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
2345PdfReader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
2345Pic.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
2345Pic.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
2345PicEditor.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
2345PicEditor.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
$R0.dll
-
Size
6.2MB
-
MD5
fb7da9d8c450a58b383ff42d94ebe23a
-
SHA1
06a106efccf80560ac0fc848b8082916a7574081
-
SHA256
79107685d8d6adadd68decf5d34739b6519c2467687896ce698f9188a4b6dca4
-
SHA512
17c0e3bc0614886c9dd2da7965f96b1c4726388d8e6248b8429515026abed9f7327c09c7154d2e6e989a55c4eabed189c49067d5a14451a85b2957784a876475
-
SSDEEP
49152:Q8GH9teLBY922SM9c50Iq0ikQXvnxC262mGldjoAYkVTIGRGB/Ar95VpeOOQ1KT:xM9bYAUsxYOOyKT
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{1F45976A-9305-4A2F-85B3-E950C29436AA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{75F9C120-AE93-4372-ACCA-8BF6BB613A02}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\ = "Extract Handler Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\ = "Extract Handler Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\ = "Thumbnail Handler Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\ = "Extract Handler Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\ = "Thumbnail Handler Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbi\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbi regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\ = "ThumbnailLib" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\ = "Thumbnail Handler Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0 regsvr32.exe