dfa397861600e87386b06f0178ffe6abae4c356c10420bbd13c64a3c78a23266

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06c0e14742ffe22e9b4f4ef330ac18e1_JaffaCakes118.dll
Size

95KB
MD5

06c0e14742ffe22e9b4f4ef330ac18e1
SHA1

b054a87677302da065fb6d62e74902723b01fdb4
SHA256

dfa397861600e87386b06f0178ffe6abae4c356c10420bbd13c64a3c78a23266
SHA512

f5d659d3e2a2dd1586e6be0aae72ac3aedde3a4d4e760324056dd8a2348c07d5717a256ba1e423a0a94195a63e31a1127cf612b1bcd1b37015cb2a11ea1d5c33
SSDEEP

1536:WtxOpabjbENiPHlhJM33DDUFgRdifCNNmbwc6PDCvbR0npOIcySR4sRz1o+yBpET:WtBXzm3DDUSRIsaMDCtcnVg9RzO/KT

Score

7^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-0-0x000007FEFA570000-0x000007FEFA5DD000-memory.dmp	upx

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ = "IMediaViewerIdentifier"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\06c0e14742ffe22e9b4f4ef330ac18e1_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\ = "MediaViewerC799 Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\ = "MediaViewerPluginLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\06c0e14742ffe22e9b4f4ef330ac18e1_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ = "IMediaViewerIdentifier"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-ACCC-C7990E7AC40C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605622}\TypeLib\Version = "1.0"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\06c0e14742ffe22e9b4f4ef330ac18e1_JaffaCakes118.dll
1⤵
- Modifies registry class
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-0-0x000007FEFA570000-0x000007FEFA5DD000-memory.dmp

Filesize
436KB

Download