Malware Analysis Report

2025-01-18 21:35

Sample ID 240415-knxylsae84
Target f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118
SHA256 a4f8c08fa04116373b1845e97d90121bd553614e6532f2cd118a3aa0888e9cf9
Tags
upx adware discovery persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a4f8c08fa04116373b1845e97d90121bd553614e6532f2cd118a3aa0888e9cf9

Threat Level: Shows suspicious behavior

The file f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware discovery persistence stealer

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Installs/modifies Browser Helper Object

Adds Run key to start application

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 08:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 08:45

Reported

2024-04-15 08:47

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PostTip\PostTip.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" C:\Program Files (x86)\PostTip\PostTip.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454B-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PostTip\PostTip.exe C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\PostTip.dll C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2448 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Program Files (x86)\PostTip\PostTip.exe

"C:\Program Files (x86)\PostTip\PostTip.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c \DelUS.bat

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 postip.sidetab.co.kr udp

Files

memory/2968-0-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-3-0x0000000000230000-0x0000000000278000-memory.dmp

memory/2968-2-0x0000000000230000-0x0000000000278000-memory.dmp

memory/2968-1-0x0000000000230000-0x0000000000278000-memory.dmp

C:\Program Files (x86)\PostTip\PostTip.dll

MD5 dc62c2f61a803bd1292b0b169fa6f8d9
SHA1 117ecef652f645ab87a611eab5bc16ae085d6ffb
SHA256 7434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af
SHA512 55f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1

\Program Files (x86)\PostTip\PostTip.exe

MD5 c2b5be376cac31c0b01603105ae4ea89
SHA1 4fcfa0181ca5478103c6999199957be40f4a937b
SHA256 8ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb
SHA512 d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72

C:\DelUS.bat

MD5 f8e48a5a182463ed051464ad2b4ca5b0
SHA1 1f99681adb00c71d4e32ddf5f41b62eb69586ac4
SHA256 1dd7a62019ba98caced84a756895015248d3dc95e0807b5b37091394dd1df834
SHA512 c8ee9868ea61d617bc5e8e0aeca55fe2450b7e2bf1d041e3583e928ce8decd1466d7efd0555fadcb2f22facf556398e6795a99b64408a720072e09a4cdb7718b

memory/2968-27-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 08:45

Reported

2024-04-15 08:48

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PostTip\PostTip.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" C:\Program Files (x86)\PostTip\PostTip.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C4BF6897-41A2-454B-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PostTip\PostTip.exe C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\PostTip.dll C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 4064 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 4064 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1368 wrote to memory of 4780 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1368 wrote to memory of 4780 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1368 wrote to memory of 4780 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0af2a62ff29df86e7e4453b2562fb10_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Program Files (x86)\PostTip\PostTip.exe

"C:\Program Files (x86)\PostTip\PostTip.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c \DelUS.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 postip.sidetab.co.kr udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/4064-0-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Program Files (x86)\PostTip\PostTip.dll

MD5 dc62c2f61a803bd1292b0b169fa6f8d9
SHA1 117ecef652f645ab87a611eab5bc16ae085d6ffb
SHA256 7434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af
SHA512 55f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1

C:\Program Files (x86)\PostTip\PostTip.exe

MD5 c2b5be376cac31c0b01603105ae4ea89
SHA1 4fcfa0181ca5478103c6999199957be40f4a937b
SHA256 8ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb
SHA512 d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72

memory/4064-12-0x0000000000400000-0x0000000000448000-memory.dmp

C:\DelUS.bat

MD5 f8e48a5a182463ed051464ad2b4ca5b0
SHA1 1f99681adb00c71d4e32ddf5f41b62eb69586ac4
SHA256 1dd7a62019ba98caced84a756895015248d3dc95e0807b5b37091394dd1df834
SHA512 c8ee9868ea61d617bc5e8e0aeca55fe2450b7e2bf1d041e3583e928ce8decd1466d7efd0555fadcb2f22facf556398e6795a99b64408a720072e09a4cdb7718b