Analysis Overview
SHA256
4f42c697b6fe86325449f9a9f7b6c12595d5cb99d77252276205b82d886ea8c5
Threat Level: Shows suspicious behavior
The file e394354114d360b558ede282d84ecbbe_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Registers COM server for autorun
Unsigned PE
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:48
Reported
2024-04-06 23:51
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:48
Reported
2024-04-06 23:51
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe\"" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577} | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40} | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A} | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1} | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe\"" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0 | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}" | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577} | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4868-0-0x00007FF6E4F20000-0x00007FF6E5052000-memory.dmp
memory/4868-1-0x00007FF6E4F20000-0x00007FF6E5052000-memory.dmp