6c7ca6f35472bbe6ce9dd03fcb3c70155f2eb1c92d88d8c1f5dacb8b31daa00b

General

Target

JaffaCakes118_4396db7a1d3c41b0333e487f0fa11868.dll
Size

147KB
MD5

4396db7a1d3c41b0333e487f0fa11868
SHA1

af5aa0eb1b8351c519e8ef0b203ebd7c560fff50
SHA256

6c7ca6f35472bbe6ce9dd03fcb3c70155f2eb1c92d88d8c1f5dacb8b31daa00b
SHA512

12fbead1a66174feabb72a689168e28559f7155fe942cffc28011ea97769c15ed566a8fc7bf900a91919cc1fb0a3edef66dc1331b72ceff963d2e3fd0d97925d
SSDEEP

3072:5ODZGx4N+MIcFbeC8qP1bEtYn1TjeGna3wCkqFDHYvSiAoX4:Egx4NnVbGqPqKFqSvSiW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	regsvr32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2476	regsvr32.exe
2476	regsvr32.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2940	2416	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A16043F-676D-11d2-994E-00C04FA309D4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A16043F-676D-11d2-994E-00C04FA309D4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A16043F-676D-11d2-994E-00C04FA309D4}\InProcServer32	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2476	regsvr32.exe
Token: SeRestorePrivilege	2476	regsvr32.exe
Token: SeRestorePrivilege	2476	regsvr32.exe
Token: SeRestorePrivilege	2476	regsvr32.exe
Token: SeRestorePrivilege	2476	regsvr32.exe
Token: SeRestorePrivilege	2476	regsvr32.exe
Token: SeRestorePrivilege	2476	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2288 wrote to memory of 2476	2288	regsvr32.exe	30
PID 2476 wrote to memory of 2416	2476	regsvr32.exe	31
PID 2476 wrote to memory of 2416	2476	regsvr32.exe	31
PID 2476 wrote to memory of 2416	2476	regsvr32.exe	31
PID 2476 wrote to memory of 2416	2476	regsvr32.exe	31
PID 2416 wrote to memory of 2940	2416	regsvr32mgr.exe	32
PID 2416 wrote to memory of 2940	2416	regsvr32mgr.exe	32
PID 2416 wrote to memory of 2940	2416	regsvr32mgr.exe	32
PID 2416 wrote to memory of 2940	2416	regsvr32mgr.exe	32

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4396db7a1d3c41b0333e487f0fa11868.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4396db7a1d3c41b0333e487f0fa11868.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RGI9D0A.tmp

Filesize
802B

MD5
f43aa15b8b94400fd85a33484b4ce010

SHA1
7246e1f9826a750992b172b485e132fc38936019

SHA256
d1771866468bd3b9cf3db9c40f4031e266d858aac2e5ef11b412e6df6dd297f4

SHA512
e155d2de65e067173276658691e67e44b83d0f20e3959dad558c58682da66b674934106f1b271046f92d0e020c06222cc6719e2bc78a0a9117ab46ac1d2bbe73

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/2476-1-0x000000006CDF0000-0x000000006CE19000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing