e7b365897ab2f33151db2a913a3e7015abf3ece9bd656f31319c86a3dff5fb06

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_78b0d536dae5589848e384313d4a7cb6.dll
Size

236KB
MD5

78b0d536dae5589848e384313d4a7cb6
SHA1

93f5f7ceb2a581e28d7c60588e8f593d673dee56
SHA256

e7b365897ab2f33151db2a913a3e7015abf3ece9bd656f31319c86a3dff5fb06
SHA512

9b67e4fdba7222eea4b206df35db9be482e23d20a4e78d35915caa46541dd1229fa873e75a11f107a44d67a7b581041dc10f1daa1a181ea3cad0b9cba1cf3d4c
SSDEEP

3072:ocA7dC06evlQoTV5SItYgEdITFGzziX5K4dz4CYK5HdptTndXpRAK5Gq8TeICEg:ocA7dC06eeytYl0CY9pJnRAK5G1rCEg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
636	regsvr32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2072	regsvr32.exe
2072	regsvr32.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	636	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\ = "IScanSettingsControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_78b0d536dae5589848e384313d4a7cb6.dll, 101"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\TypeLib\ = "{12BF9911-8670-40AD-A0F4-9038621FEB4F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl.1\CLSID\ = "{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\ProgID\ = "ScanSettings.ScanSettingsControl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_78b0d536dae5589848e384313d4a7cb6.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\ = "IScanSettingsControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\TypeLib\ = "{12BF9911-8670-40AD-A0F4-9038621FEB4F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_78b0d536dae5589848e384313d4a7cb6.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\TypeLib\ = "{12BF9911-8670-40AD-A0F4-9038621FEB4F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl.1\ = "ScanSettingsControl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\VersionIndependentProgID\ = "ScanSettings.ScanSettingsControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\ = "ScanSettingsControl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\TypeLib\ = "{12BF9911-8670-40AD-A0F4-9038621FEB4F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl\ = "ScanSettingsControl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EC5D243-0D94-4D05-AA64-A5EEB01EE351}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\ = "IScanSettingsControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl\CurVer\ = "ScanSettings.ScanSettingsControl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\ = "ScanSettings 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12BF9911-8670-40AD-A0F4-9038621FEB4F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B1FE3D6-B8DC-40AC-93D3-B52F260A6607}\TypeLib\ = "{12BF9911-8670-40AD-A0F4-9038621FEB4F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScanSettings.ScanSettingsControl\CLSID\ = "{CF0FAF4E-F2D5-4CAC-A0A5-65580079F157}"	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2396 wrote to memory of 2072	2396	regsvr32.exe	29
PID 2072 wrote to memory of 636	2072	regsvr32.exe	30
PID 2072 wrote to memory of 636	2072	regsvr32.exe	30
PID 2072 wrote to memory of 636	2072	regsvr32.exe	30
PID 2072 wrote to memory of 636	2072	regsvr32.exe	30
PID 636 wrote to memory of 2044	636	regsvr32mgr.exe	31
PID 636 wrote to memory of 2044	636	regsvr32mgr.exe	31
PID 636 wrote to memory of 2044	636	regsvr32mgr.exe	31
PID 636 wrote to memory of 2044	636	regsvr32mgr.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b0d536dae5589848e384313d4a7cb6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b0d536dae5589848e384313d4a7cb6.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\regsvr32mgr.exe

Filesize
113KB

MD5
d26092af969610dab56e02649ecae88d

SHA1
cd450ff4b645acd188fa1f9e9c16a972c0e99f87

SHA256
e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71

SHA512
8c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05

Download Submit
memory/2072-0-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download