Analysis Overview
SHA256
e30cd3c2da289af8bf3fe377fa4872ceb13356378333eaabaa349f608b0fd545
Threat Level: Shows suspicious behavior
The file f1278c614f4bcb17088e0194a3e15108_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
UPX packed file
Adds Run key to start application
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 13:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-15 13:23
Reported
2024-04-15 13:26
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3484 wrote to memory of 4440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 4440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 4440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4440 -ip 4440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 636
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.213.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-15 13:23
Reported
2024-04-15 13:26
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe
"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"
C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp" /SL4 $F0150 "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe" 1217223 52224
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""
Network
Files
memory/2212-1-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
| MD5 | 4fa180886ff7c0fd86a65f760ede6318 |
| SHA1 | 2c89c271c71531362e84ddab5d3028f0756a9281 |
| SHA256 | 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c |
| SHA512 | a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd |
memory/1980-9-0x00000000003E0000-0x00000000003E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ETNCE.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\del_bat.cmd
| MD5 | 57d7419e37e725840c910cb21ccf0adb |
| SHA1 | b2a7b23acc8039311994933add224e72ee08a4a4 |
| SHA256 | 7adfe3d985257c921c924fca6fc84cec6b79b2bb676d4e1b603582afec778fac |
| SHA512 | e4f0c3c5f2702baa8a3954eadca2e1c380b7bc0b1d642659d8bc03467f0f17be05ff5f6f9b96094a66b3fc7a0552277cea1e5c5a31ae073344ae2344fe9321fc |
memory/2212-19-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1980-20-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/1980-23-0x00000000003E0000-0x00000000003E1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-15 13:23
Reported
2024-04-15 13:26
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp |
| PID 2156 wrote to memory of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp |
| PID 2156 wrote to memory of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp |
| PID 1684 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1684 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1684 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe
"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"
C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp" /SL4 $8016E "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe" 1217223 52224
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.147:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 147.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
memory/2156-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2156-2-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp
| MD5 | 4fa180886ff7c0fd86a65f760ede6318 |
| SHA1 | 2c89c271c71531362e84ddab5d3028f0756a9281 |
| SHA256 | 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c |
| SHA512 | a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd |
memory/1684-13-0x0000000002340000-0x0000000002341000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\del_bat.cmd
| MD5 | 57d7419e37e725840c910cb21ccf0adb |
| SHA1 | b2a7b23acc8039311994933add224e72ee08a4a4 |
| SHA256 | 7adfe3d985257c921c924fca6fc84cec6b79b2bb676d4e1b603582afec778fac |
| SHA512 | e4f0c3c5f2702baa8a3954eadca2e1c380b7bc0b1d642659d8bc03467f0f17be05ff5f6f9b96094a66b3fc7a0552277cea1e5c5a31ae073344ae2344fe9321fc |
memory/2156-15-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1684-16-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/1684-19-0x0000000002340000-0x0000000002341000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 13:23
Reported
2024-04-15 13:26
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowController = "c:\\program files\\WindowController\\WindowController.exe" | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowController\is-03V98.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\is-KVQ47.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\is-3GRB9.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WindowController\del_bat.cmd | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\is-TAF32.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\is-NCT7N.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\is-ABGFQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File opened for modification | C:\Program Files\WindowController\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
| File created | C:\Program Files\WindowController\is-5D2PI.tmp | C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID\ = "windowcontroller.windowcontroller" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA} | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid\ = "{F887887B-2D45-4998-9249-0ADE4BAD9EAA}" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController Class" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\ = "WindowController" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\ = "windowcontroller Library" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR\ = "C:\\Program Files\\WindowController\\" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ = "C:\\PROGRA~1\\WIC173~1\\WINDOW~1.DLL" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32\ = "C:\\Program Files\\WindowController\\windowcontroller_v1.dll" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0 | C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"
C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
"C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp" /SL4 $40156 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""
C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
_RegDLL.tmp 552 544
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | counter.adncheck.com | udp |
Files
\Program Files (x86)\WindowController\WindowController_setup_06.exe
| MD5 | 5f47cf5504f99f7a6a20ea11e393ed75 |
| SHA1 | 081ba58a5a211efa949b6536b477b9f211f1a0ea |
| SHA256 | a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b |
| SHA512 | 4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2 |
C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd
| MD5 | 3670ebb3297f13962c71489c50e5fc4a |
| SHA1 | 9b58125817e1ed3fafd54c89dcd8880b45e8d27f |
| SHA256 | 5a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0 |
| SHA512 | 99c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714 |
memory/1964-16-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
| MD5 | 4fa180886ff7c0fd86a65f760ede6318 |
| SHA1 | 2c89c271c71531362e84ddab5d3028f0756a9281 |
| SHA256 | 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c |
| SHA512 | a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd |
\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Program Files (x86)\WindowController\del_bat.cmd
| MD5 | 569c447b88ee6ee87a0d575fc064c735 |
| SHA1 | c6d4a65b6ae7cd71d3d147de18623ea608fab20a |
| SHA256 | ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c |
| SHA512 | 1ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5 |
\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
| MD5 | c594b792b9c556ea62a30de541d2fb03 |
| SHA1 | 69e0207515e913243b94c2d3a116d232ff79af5f |
| SHA256 | 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e |
| SHA512 | 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144 |
C:\Program Files\WindowController\windowcontroller_v1.dll
| MD5 | 42fa974b082ae577576fe5d4116b0ea7 |
| SHA1 | f374a519c41c73e5e40f281d25ec91325ff8c103 |
| SHA256 | b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45 |
| SHA512 | 60c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48 |
memory/2544-55-0x0000000001F70000-0x000000000209C000-memory.dmp
\Program Files\WindowController\sqlite3.dll
| MD5 | 89f0fd81f69f1a20ba0951d8694b4437 |
| SHA1 | f3c56f20cf8a6f6dd210b287b6a22210d252ec6b |
| SHA256 | c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a |
| SHA512 | 51f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd |
memory/2152-61-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/1964-62-0x0000000000400000-0x0000000000413000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 13:23
Reported
2024-04-15 13:26
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
113s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowController = "c:\\program files\\WindowController\\WindowController.exe" | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowController\is-2I09V.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files\WindowController\is-U31JN.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files\WindowController\is-FUCKO.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files\WindowController\is-AU2B7.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files\WindowController\is-NMT1G.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files\WindowController\is-1Q1SM.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files (x86)\WindowController\del_bat.cmd | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files\WindowController\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File opened for modification | C:\Program Files\WindowController\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
| File created | C:\Program Files (x86)\WindowController\WindowController_setup_06.exe | C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\WindowController\is-U8FHN.tmp | C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ = "C:\\PROGRA~1\\WIC173~1\\WINDOW~1.DLL" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\ = "WindowController" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0 | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32\ = "C:\\Program Files\\WindowController\\windowcontroller_v1.dll" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\ = "windowcontroller Library" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID\ = "windowcontroller.windowcontroller" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid\ = "{F887887B-2D45-4998-9249-0ADE4BAD9EAA}" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA} | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR\ = "C:\\Program Files\\WindowController\\" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController Class" | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller | C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"
C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
"C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp" /SL4 $401D8 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""
C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp
_RegDLL.tmp 1212 1116
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | counter.adncheck.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
| MD5 | 5f47cf5504f99f7a6a20ea11e393ed75 |
| SHA1 | 081ba58a5a211efa949b6536b477b9f211f1a0ea |
| SHA256 | a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b |
| SHA512 | 4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2 |
memory/3032-6-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp
| MD5 | 4fa180886ff7c0fd86a65f760ede6318 |
| SHA1 | 2c89c271c71531362e84ddab5d3028f0756a9281 |
| SHA256 | 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c |
| SHA512 | a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd |
memory/932-17-0x0000000000590000-0x0000000000591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd
| MD5 | 3670ebb3297f13962c71489c50e5fc4a |
| SHA1 | 9b58125817e1ed3fafd54c89dcd8880b45e8d27f |
| SHA256 | 5a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0 |
| SHA512 | 99c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714 |
C:\Program Files (x86)\WindowController\del_bat.cmd
| MD5 | 569c447b88ee6ee87a0d575fc064c735 |
| SHA1 | c6d4a65b6ae7cd71d3d147de18623ea608fab20a |
| SHA256 | ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c |
| SHA512 | 1ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5 |
C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp
| MD5 | c594b792b9c556ea62a30de541d2fb03 |
| SHA1 | 69e0207515e913243b94c2d3a116d232ff79af5f |
| SHA256 | 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e |
| SHA512 | 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144 |
C:\Program Files\WindowController\windowcontroller_v1.dll
| MD5 | 42fa974b082ae577576fe5d4116b0ea7 |
| SHA1 | f374a519c41c73e5e40f281d25ec91325ff8c103 |
| SHA256 | b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45 |
| SHA512 | 60c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48 |
memory/1296-43-0x00000000021D0000-0x00000000022FC000-memory.dmp
C:\Program Files\WindowController\sqlite3.dll
| MD5 | 89f0fd81f69f1a20ba0951d8694b4437 |
| SHA1 | f3c56f20cf8a6f6dd210b287b6a22210d252ec6b |
| SHA256 | c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a |
| SHA512 | 51f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd |
memory/1296-47-0x0000000060900000-0x000000006096F000-memory.dmp
memory/1296-45-0x00000000021D0000-0x00000000022FC000-memory.dmp
memory/932-51-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/3032-52-0x0000000000400000-0x0000000000413000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-15 13:23
Reported
2024-04-15 13:26
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 244