Malware Analysis Report

2025-01-18 21:41

Sample ID 240415-d8gzkadf78
Target f03915e68497e7192045f9056cc3f87a_JaffaCakes118
SHA256 ac848106d86fccc4849064e3663cdea0ea973764a64c0cbe19027dd8efe11124
Tags
evasion trojan adware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac848106d86fccc4849064e3663cdea0ea973764a64c0cbe19027dd8efe11124

Threat Level: Known bad

The file f03915e68497e7192045f9056cc3f87a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion trojan adware stealer

Windows security bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Loads dropped DLL

Windows security modification

Installs/modifies Browser Helper Object

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Modifies Control Panel

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 03:40

Reported

2024-04-15 03:43

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\XPPoliceAntivirus\setup.dat C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\iehost.dll C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\don't load C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\don't load\scui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\don't load\wscui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2412 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2412 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2412 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1676 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1676 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1676 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1676 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\iehost.dll

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

Network

Country Destination Domain Proto
US 8.8.8.8:53 xp-download-center.com udp

Files

memory/2412-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2412-1-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2412-2-0x0000000000220000-0x000000000022C000-memory.dmp

memory/2412-3-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Windows\iehost.dll

MD5 0dc81418df654888fa76c550d37c1edd
SHA1 56bc7f18e5f991adedbc82933b0e89aa08c4155f
SHA256 913a1b3ec04f8b23f18cfb60e756f2c2016755157842c3a59e3ecbbf3e875707
SHA512 dab099efe5e0e31a9491de673e049220d75fd8f9265fb96ecf693ecf35fa455163f9de5a574c876d8cf7627376c66ea4cddb2e8ec8d4d24a5b093a5f14ed111a

memory/904-6-0x00000000001B0000-0x00000000001B6000-memory.dmp

memory/2412-7-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 03:40

Reported

2024-04-15 03:43

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6b571fb-b71d-449c-ad70-82e966328795} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6b571fb-b71d-449c-ad70-82e966328795}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\XPPoliceAntivirus\setup.dat C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\iehost.dll C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\don't load\wscui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\don't load C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\don't load\scui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{16406580-14CE-4441-B904-AD56CC8064CA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\ = "WinSafe Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CLSID\ = "{b6b571fb-b71d-449c-ad70-82e966328795}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\ = "WinSafe 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe\ = "WinSafe Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\TypeLib\ = "{16406580-14ce-4441-b904-ad56cc8064ca}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\InprocServer32\ = "C:\\Windows\\iehost.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CurVer\ = "WinApp.WinSafe.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\VersionIndependentProgID\ = "WinApp.WinSafe" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\ProgID\ = "WinApp.WinSafe.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{16406580-14CE-4441-B904-AD56CC8064CA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\0\win32\ = "C:\\Windows\\iehost.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1\ = "WinSafe Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1\CLSID\ = "{b6b571fb-b71d-449c-ad70-82e966328795}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{16406580-14CE-4441-B904-AD56CC8064CA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{16406580-14CE-4441-B904-AD56CC8064CA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f03915e68497e7192045f9056cc3f87a_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\iehost.dll

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 xp-download-center.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/228-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/228-1-0x0000000000400000-0x000000000041D000-memory.dmp

memory/228-2-0x0000000000400000-0x000000000041D000-memory.dmp

memory/228-3-0x00000000004F0000-0x00000000004FC000-memory.dmp

memory/228-4-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Windows\iehost.dll

MD5 0dc81418df654888fa76c550d37c1edd
SHA1 56bc7f18e5f991adedbc82933b0e89aa08c4155f
SHA256 913a1b3ec04f8b23f18cfb60e756f2c2016755157842c3a59e3ecbbf3e875707
SHA512 dab099efe5e0e31a9491de673e049220d75fd8f9265fb96ecf693ecf35fa455163f9de5a574c876d8cf7627376c66ea4cddb2e8ec8d4d24a5b093a5f14ed111a

memory/5052-8-0x0000000010000000-0x0000000010008000-memory.dmp

memory/5052-9-0x00000000009F0000-0x00000000009F6000-memory.dmp

memory/228-10-0x0000000000400000-0x000000000041D000-memory.dmp