Analysis Overview
SHA256
f1a2cb1cdc24f66c9331d273829248a20d6d25e4302618e7d28acc90e9d8d294
Threat Level: Known bad
The file 0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
UPX packed file
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 17:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 17:24
Reported
2024-10-03 17:27
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\regsvr32mgr.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\NumMethods\ = "20" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\ = "ICUIExternal2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\NumMethods\ = "4" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\ = "ICUIExternal5" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\NumMethods\ = "39" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\NumMethods\ = "45" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\NumMethods\ = "11" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\ = "ICUIExternal3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\ = "ICUIExternal8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\NumMethods\ = "43" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\ = "ICUIExtClientNotify" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\ = "ICUIExternal7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\ = "ICUIExternal6" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\ = "ICUIDownScale" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ = "ICUIExternal4" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\ = "ICUIExternalDual" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\NumMethods\ = "25" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 148
Network
Files
memory/2368-1-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Windows\SysWOW64\regsvr32mgr.exe
| MD5 | 609c9eadac4c1cc48b5f89be6c36e276 |
| SHA1 | f047b565fdb73d5b75ffaed7b2faa335e82b3514 |
| SHA256 | e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325 |
| SHA512 | 246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5 |
memory/1864-10-0x0000000000400000-0x0000000000451000-memory.dmp
\Users\Admin\AppData\Local\Temp\~TMC783.tmp
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
\Users\Admin\AppData\Local\Temp\~TMC794.tmp
| MD5 | 9b98d47916ead4f69ef51b56b0c2323c |
| SHA1 | 290a80b4ded0efc0fd00816f373fcea81a521330 |
| SHA256 | 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b |
| SHA512 | 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94 |
memory/1864-16-0x0000000000400000-0x0000000000451000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 17:24
Reported
2024-10-03 17:27
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
129s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\regsvr32mgr.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32mgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\NumMethods\ = "4" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\NumMethods\ = "39" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\ = "ICUIExternal8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\NumMethods\ = "11" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\ = "ICUIExternal2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\NumMethods\ = "37" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\NumMethods\ = "43" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\ = "ICUIExternal5" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\NumMethods\ = "45" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\ = "ICUIExternalDual" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\ = "ICUIExtClientNotify" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\ = "ICUIDownScale" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86709F66-89C5-4B19-A83F-E4995E21599A}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F932C038-6484-45CA-8FA1-7C8C279F7AEE}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\NumMethods\ = "20" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\ProxyStubClsid32\ = "{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFB6489F-4515-44AA-8DF7-ED28EA46283C}\ = "ICUIExternal6" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A05C525D-B4CB-4108-BFF7-1ACF1A14F00A}\NumMethods\ = "25" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3473E05A-3317-4DF5-9098-E5387C94D1B0}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\ = "ICUIExternal3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CED2F89-627B-4E5D-840F-B126EE858CD8}\ = "ICUIExternal7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C4B98D-F59E-4A0C-AEE9-801E0CDB671E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DC5B31E-0C28-4679-B8D8-32CF2F9BACED}\ = "ICUIExternal4" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27E7234F-429F-4787-AC8F-8AADDED01355}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70F8C65F-06AA-443B-9E6B-7C73808F07E5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 3940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 3940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1808 wrote to memory of 3940 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3940 wrote to memory of 852 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
| PID 3940 wrote to memory of 852 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
| PID 3940 wrote to memory of 852 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32mgr.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0fd6a8d4cb920ac3d9b04d091d019a67_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 852 -ip 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 468
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/3940-1-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Windows\SysWOW64\regsvr32mgr.exe
| MD5 | 609c9eadac4c1cc48b5f89be6c36e276 |
| SHA1 | f047b565fdb73d5b75ffaed7b2faa335e82b3514 |
| SHA256 | e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325 |
| SHA512 | 246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5 |
memory/852-6-0x0000000000400000-0x0000000000451000-memory.dmp
memory/852-5-0x0000000000400000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~TM6EC2.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/852-10-0x0000000000400000-0x0000000000451000-memory.dmp