Overview
overview
6Static
static
317ef2ce34f...18.exe
windows7-x64
317ef2ce34f...18.exe
windows10-2004-x64
3$_0_/GameD...er.exe
windows7-x64
6$_0_/GameD...er.exe
windows10-2004-x64
6$_0_/GdShellExt.dll
windows7-x64
3$_0_/GdShellExt.dll
windows10-2004-x64
3$_0_/LnkTrapDll.dll
windows7-x64
3$_0_/LnkTrapDll.dll
windows10-2004-x64
3$_0_/atl71.dll
windows7-x64
3$_0_/atl71.dll
windows10-2004-x64
3$_0_/detoured.dll
windows7-x64
3$_0_/detoured.dll
windows10-2004-x64
3$_0_/dl_peer_id.dll
windows7-x64
3$_0_/dl_peer_id.dll
windows10-2004-x64
3$_0_/installhelp.dll
windows7-x64
3$_0_/installhelp.dll
windows10-2004-x64
3$_0_/libexpat.dll
windows7-x64
3$_0_/libexpat.dll
windows10-2004-x64
3$_0_/msvcp71.dll
windows7-x64
3$_0_/msvcp71.dll
windows10-2004-x64
3$_0_/msvcr71.dll
windows7-x64
3$_0_/msvcr71.dll
windows10-2004-x64
3Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
17ef2ce34f4b678baf2113e4a594a7ad_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
17ef2ce34f4b678baf2113e4a594a7ad_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$_0_/GameDownloader.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$_0_/GameDownloader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$_0_/GdShellExt.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$_0_/GdShellExt.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_0_/LnkTrapDll.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$_0_/LnkTrapDll.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_0_/atl71.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$_0_/atl71.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_0_/detoured.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$_0_/detoured.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_0_/dl_peer_id.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$_0_/dl_peer_id.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_0_/installhelp.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_0_/installhelp.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_0_/libexpat.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
$_0_/libexpat.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_0_/msvcp71.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
$_0_/msvcp71.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_0_/msvcr71.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$_0_/msvcr71.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
General
-
Target
$_0_/dl_peer_id.dll
-
Size
85KB
-
MD5
c6e0c16fcfe918d40819ededec3ae240
-
SHA1
a09f398b3a8ed4520a7142325d1f73667571cf35
-
SHA256
c425bc774fc681798797fd4c7e0c11e3318fa4c184b61f23b5cb5c641c8dbcb9
-
SHA512
404a4b9525a3c88c8f488e02273dcac5e2659bec563471f2629621736fdebadacbfba0e253b6ead893bfc69bf01e6d45852699bdc77d3c6ea7f7bfb19850d2c6
-
SSDEEP
768:5m/NxWeyBQHRv4yqLSypchegiicB+JQYqPo+nZr5FwqNjfyOO+666laCiNmtdt81:5m1UXiRv3iLcJQ8wDNTxotrRqk3p6DH
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 44 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\VersionIndependentProgID\ = "Dl_peer_id.DownloadLibPlugin" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\TypeLib\ = "{3E618540-AFE5-4DFC-B440-1A760323133B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin.1\ = "DownloadLibPlugin Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_0_\\dl_peer_id.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\ProgID\ = "Dl_peer_id.XlPeerId.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId.1\ = "XlPeerId Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\ = "XlPeerId Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin\ = "DownloadLibPlugin Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin\CurVer\ = "Dl_peer_id.DownloadLibPlugin.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin\CLSID\ = "{D76D152E-836B-489B-A333-930A7F22A1D4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\TypeLib\ = "{3E618540-AFE5-4DFC-B440-1A760323133B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\ = "DownloadLibPlugin Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\ProgID\ = "Dl_peer_id.DownloadLibPlugin.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId\CLSID\ = "{5D72951E-2B86-41B9-835F-464346928269}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\VersionIndependentProgID\ = "Dl_peer_id.XlPeerId" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D76D152E-836B-489B-A333-930A7F22A1D4}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId\CurVer\ = "Dl_peer_id.XlPeerId.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId.1\CLSID\ = "{5D72951E-2B86-41B9-835F-464346928269}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId\ = "XlPeerId Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_0_\\dl_peer_id.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D72951E-2B86-41B9-835F-464346928269}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.DownloadLibPlugin.1\CLSID\ = "{D76D152E-836B-489B-A333-930A7F22A1D4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dl_peer_id.XlPeerId.1 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4608 wrote to memory of 1376 4608 regsvr32.exe 82 PID 4608 wrote to memory of 1376 4608 regsvr32.exe 82 PID 4608 wrote to memory of 1376 4608 regsvr32.exe 82
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_0_\dl_peer_id.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$_0_\dl_peer_id.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1376
-