Malware Analysis Report

2025-01-18 21:44

Sample ID 240415-plqhzagf2z
Target f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118
SHA256 9f7d8d18aa6a476b211263d35fbf421427d94881188d577876b116dbc3a2647e
Tags
adware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9f7d8d18aa6a476b211263d35fbf421427d94881188d577876b116dbc3a2647e

Threat Level: Shows suspicious behavior

The file f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Installs/modifies Browser Helper Object

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 12:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 12:25

Reported

2024-04-15 12:27

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{29B981AD-1CE1-42A4-84B1-EF7781BF4326} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\ = "amylibP" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1\ = "amylibB Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ = "IJetVideoPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\AppID = "{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ = "IJetMimeFiltr" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC} = 61006d0079006c00690062002e0064006c006c00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\amylib.DLL\AppID = "{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\ = "WV Video Provider" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1\CLSID\ = "{29B981AD-1CE1-42A4-84B1-EF7781BF4326}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ProxyStubClsid32\ = "{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC} = 43004c005300490044005c007b00310034003000380045003200300038002d0032004100430031002d0034003200440033002d0039004600310030002d003700380041003500420033003600450030003500410043007d00 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\ = "amylibB Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ProxyStubClsid32\ = "{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CurVer\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib\ = "{8365916A-704A-45B3-931F-4CAFFCA468B7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib\ = "{8365916A-704A-45B3-931F-4CAFFCA468B7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\VersionIndependentProgID\ = "amylib.AClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\VersionIndependentProgID\ = "amylib.BClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1\ = "amylibA Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ = "IJetMimeFiltr" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\ = "amylibA Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\ProgID\ = "amylib.AClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ = "IJetVideoPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CLSID\ = "{9E2C7AA9-AB2F-47DE-952A-8680982E826A}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 1352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll

Network

Country Destination Domain Proto
UA 93.183.194.17:80 tcp
UA 93.183.194.17:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 12:25

Reported

2024-04-15 12:27

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

115s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29B981AD-1CE1-42A4-84B1-EF7781BF4326} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\ = "amylibP" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\ = "amylibA Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ProxyStubClsid32\ = "{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC} = 43004c005300490044005c007b00310034003000380045003200300038002d0032004100430031002d0034003200440033002d0039004600310030002d003700380041003500420033003600450030003500410043007d00 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\amylib.DLL\AppID = "{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1\ = "amylibA Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ = "IJetVideoPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\ProgID\ = "amylib.AClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib\ = "{8365916A-704A-45B3-931F-4CAFFCA468B7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}\ = "amylib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1\CLSID\ = "{9E2C7AA9-AB2F-47DE-952A-8680982E826A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\AppID = "{B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\VersionIndependentProgID\ = "amylib.BClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CurVer\ = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0\ = "amylib Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr.1\ = "amylibB Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CLSID\ = "{29B981AD-1CE1-42A4-84B1-EF7781BF4326}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ = "IJetVideoPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC}\CLSID\{1408E208-2AC1-42D3-9F10-78A5B36E05AC} = 61006d0079006c00690062002e0064006c006c00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetMimeFiltr C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ = "IJetMimeFiltr" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\ = "JetMimeFiltr Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\TypeLib\ = "{8365916A-704A-45B3-931F-4CAFFCA468B7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ = "IJetMimeFiltr" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\amylib.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\TypeLib\ = "{8365916A-704A-45B3-931F-4CAFFCA468B7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin.1\CLSID\ = "{29B981AD-1CE1-42A4-84B1-EF7781BF4326}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CurVer\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xvideoplugin.JetVideoPlugin\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E01F6E7-5A90-48B0-A7A2-FE601F353FD6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0F9EDFC-922A-4EC6-BCBB-EC5E4B86DA56}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2C7AA9-AB2F-47DE-952A-8680982E826A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B981AD-1CE1-42A4-84B1-EF7781BF4326}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8365916A-704A-45B3-931F-4CAFFCA468B7} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\f10c8e3adc9c36abc425a1e44ef6fb2d_JaffaCakes118.dll

Network

Country Destination Domain Proto
UA 93.183.194.17:80 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 23.62.61.98:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 98.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A