Overview
overview
10Static
static
10ae4fd40960...18.exe
windows7-x64
7ae4fd40960...18.exe
windows10-2004-x64
7$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...st.dll
windows7-x64
5$PLUGINSDI...st.dll
windows10-2004-x64
5$PLUGINSDI...nk.dll
windows7-x64
3$PLUGINSDI...nk.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDI...ce.dll
windows7-x64
3$PLUGINSDI...ce.dll
windows10-2004-x64
3$PLUGINSDIR/time.dll
windows7-x64
3$PLUGINSDIR/time.dll
windows10-2004-x64
3$SYSDIR/Po...64.dll
windows7-x64
7$SYSDIR/Po...64.dll
windows10-2004-x64
ATextOut64.dll
windows7-x64
1ATextOut64.dll
windows10-2004-x64
1DChat64.dll
windows7-x64
1DChat64.dll
windows10-2004-x64
1DTDrop64.exe
windows7-x64
7DTDrop64.exe
windows10-2004-x64
7Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-11-2024 02:30
Behavioral task
behavioral1
Sample
ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/HwInfo.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/HwInfo.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/LockedList.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/LockedList.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/ShellLink.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/ShellLink.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/newadvsplash.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/newadvsplash.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/textreplace.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/textreplace.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/time.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/time.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$SYSDIR/PotPlayerLauncher64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$SYSDIR/PotPlayerLauncher64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ATextOut64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
ATextOut64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
DChat64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
DChat64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
DTDrop64.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral32
Sample
DTDrop64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$SYSDIR/PotPlayerLauncher64.dll
-
Size
741KB
-
MD5
aee473d4e6aadd78189570f6623e0c73
-
SHA1
f712acdd76dc49bed004c46669d4af1cab6edc19
-
SHA256
40c264a9a31fb85201dac2d15bf39abc9964d12301d456c9a3bd403cf2699553
-
SHA512
c985f053b2ac9bac9c00fba49c2e3d2cfdad80abcb586ad4e085afeb095b28ed4faf1745e33e4853cfd98cae49699f6f8fb4648ac1e2fb874b9ed47617966a2c
-
SSDEEP
12288:8arQUx11ywRIald7vMb+2ECkO/cjFEZTF7XsAVdMF:/dN5hv2ECkqwFETF7cgdMF
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Control\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1569185-083C-4209-B06B-44982BCAF7FE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\ = "DaumLiveLauncher ActiveX Control module" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\PotPlayerLauncher64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1569185-083C-4209-B06B-44982BCAF7FE}\ = "DaumLiveLauncher Property Page" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1\ = "DaumLiveLauncher Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1\CLSID\ = "{2E215D23-8D32-4141-BB8F-6254C84FBC9E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\POTPLA~1.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\HELPDIR\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ = "DaumLiveLauncher Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ = "_DDaumLiveLauncher" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\POTPLA~1.DLL, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ = "_DDaumLiveLauncher" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1569185-083C-4209-B06B-44982BCAF7FE}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ProgID\ = "DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ = "_DDaumLiveLauncherEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32 regsvr32.exe