a5dda4343a9c554dfedc734a79229d37288a850ef1217051069572162ed4d7c9

General

Target

90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll
Size

316KB
MD5

90d44862fd7a2e05f2511988ff360d5f
SHA1

168ef5a541e3a90233bc896a8910d760e47f82e7
SHA256

a5dda4343a9c554dfedc734a79229d37288a850ef1217051069572162ed4d7c9
SHA512

f20cf7257a152e9f821ee0c2b73f10ac9cc9d4db868f51ac7604296b7cd8df232d521fd8df1614f741e368867d5e8d83b0fcb5b379c884b7f5ae384c21e13ef8
SSDEEP

6144:O5+QAs8Yqz+CLetk43n6JEaWeuk1i9QsjbWN1e6SKT:ZQAs8YJtksn6J3W5k1iPY1bSKT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

3060 regsvr32mgr.exe

pid	process
3060	regsvr32mgr.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exeWerFault.exe

pid	process
1980	regsvr32.exe
1980	regsvr32.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe

Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2088 3060 WerFault.exe regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

pid	pid_target	process	target process
2088	3060	WerFault.exe	regsvr32mgr.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exeregsvr32mgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\ = "CDDBWinamp5Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\VersionIndependentProgID\ = "CDDBControl.CDDBControl2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID\ = "{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\ = "CddbFullName Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\VersionIndependentProgID\ = "CDDBControlWinamp5.CddbFullName"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID\ = "{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID\ = "{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2\ = "CDDBControl2 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp.CddbDisc\CurVer\ = "CDDBControlWinamp5.CddbDisc.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2\CLSID\ = "{69E9B473-22E6-471D-8683-84BD1E4BECE1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID\ = "{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ = "CDDBWinamp5Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\CLSID\ = "{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2.1\CLSID\ = "{69E9B473-22E6-471D-8683-84BD1E4BECE1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1\CLSID\ = "{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID\ = "{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp.CddbDisc	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\ = "CDDBControl2 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\VersionIndependentProgID\ = "CDDBControlWinamp5.CDDBWinamp5Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\VersionIndependentProgID\ = "CDDBControlWinamp5.CddbDisc"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\ProgID\ = "CDDBControlWinamp5.CddbDisc.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\TypeLib\ = "{092c84ce-ce92-439f-9c12-997beea855d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp.CddbDisc\CurVer	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exe

description	pid	process	target process
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 1980	1236	regsvr32.exe	regsvr32.exe
PID 1980 wrote to memory of 3060	1980	regsvr32.exe	regsvr32mgr.exe
PID 1980 wrote to memory of 3060	1980	regsvr32.exe	regsvr32mgr.exe
PID 1980 wrote to memory of 3060	1980	regsvr32.exe	regsvr32mgr.exe
PID 1980 wrote to memory of 3060	1980	regsvr32.exe	regsvr32mgr.exe
PID 3060 wrote to memory of 2088	3060	regsvr32mgr.exe	WerFault.exe
PID 3060 wrote to memory of 2088	3060	regsvr32mgr.exe	WerFault.exe
PID 3060 wrote to memory of 2088	3060	regsvr32mgr.exe	WerFault.exe
PID 3060 wrote to memory of 2088	3060	regsvr32mgr.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/1980-0-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads