Malware Analysis Report

2025-01-18 21:37

Sample ID 240415-sxh5tahg92
Target f16300d6d4765295c22d114d06373463_JaffaCakes118
SHA256 6eeb5c03c0c5400e0eb0eb08f6d494a6de199ed1ad44e2a3cfac772681f21b2e
Tags
adware discovery persistence stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6eeb5c03c0c5400e0eb0eb08f6d494a6de199ed1ad44e2a3cfac772681f21b2e

Threat Level: Shows suspicious behavior

The file f16300d6d4765295c22d114d06373463_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence stealer upx

Deletes itself

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks installed software on the system

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 15:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 15:30

Reported

2024-04-15 15:32

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PostTip\PostTip.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" C:\Program Files (x86)\PostTip\PostTip.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C4BF6897-41A2-454B-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PostTip\PostTip.exe C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\PostTip.dll C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 940 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 940 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 940 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 940 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 940 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 940 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 3596 wrote to memory of 3224 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3596 wrote to memory of 3224 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3596 wrote to memory of 3224 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 940 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Program Files (x86)\PostTip\PostTip.exe

"C:\Program Files (x86)\PostTip\PostTip.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c \DelUS.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 postip.sidetab.co.kr udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/940-0-0x0000000000400000-0x0000000000448000-memory.dmp

memory/940-1-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Program Files (x86)\PostTip\PostTip.dll

MD5 dc62c2f61a803bd1292b0b169fa6f8d9
SHA1 117ecef652f645ab87a611eab5bc16ae085d6ffb
SHA256 7434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af
SHA512 55f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1

C:\Program Files (x86)\PostTip\PostTip.exe

MD5 c2b5be376cac31c0b01603105ae4ea89
SHA1 4fcfa0181ca5478103c6999199957be40f4a937b
SHA256 8ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb
SHA512 d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72

memory/940-13-0x0000000000400000-0x0000000000448000-memory.dmp

C:\DelUS.bat

MD5 252889d3869deba6315d6c3b11ce84d8
SHA1 941d9e82932e4bf136c85fc61e29cbb0dad3e6b0
SHA256 5747144f85be15d7c09aa09f1f565e7640257e314ea362b680713d1d6017df2c
SHA512 bc942556e6a36240fc058167d67fba37a651915f9211ddb0b2f39bef52dd1a6b260c7b9b6fab6e5ce0987ee509f0abe2a62631272b1fd7e3c358873a6cf1056c

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 15:30

Reported

2024-04-15 15:32

Platform

win7-20240221-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PostTip\PostTip.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" C:\Program Files (x86)\PostTip\PostTip.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454B-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PostTip\PostTip.exe C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\PostTip.dll C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PostTip\uninstall.exe C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2708 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f16300d6d4765295c22d114d06373463_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Program Files (x86)\PostTip\PostTip.exe

"C:\Program Files (x86)\PostTip\PostTip.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c \DelUS.bat

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 postip.sidetab.co.kr udp

Files

memory/1728-0-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1728-1-0x00000000002F0000-0x0000000000338000-memory.dmp

C:\Program Files (x86)\PostTip\PostTip.dll

MD5 dc62c2f61a803bd1292b0b169fa6f8d9
SHA1 117ecef652f645ab87a611eab5bc16ae085d6ffb
SHA256 7434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af
SHA512 55f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1

\Program Files (x86)\PostTip\PostTip.exe

MD5 c2b5be376cac31c0b01603105ae4ea89
SHA1 4fcfa0181ca5478103c6999199957be40f4a937b
SHA256 8ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb
SHA512 d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72

C:\DelUS.bat

MD5 252889d3869deba6315d6c3b11ce84d8
SHA1 941d9e82932e4bf136c85fc61e29cbb0dad3e6b0
SHA256 5747144f85be15d7c09aa09f1f565e7640257e314ea362b680713d1d6017df2c
SHA512 bc942556e6a36240fc058167d67fba37a651915f9211ddb0b2f39bef52dd1a6b260c7b9b6fab6e5ce0987ee509f0abe2a62631272b1fd7e3c358873a6cf1056c

memory/1728-25-0x0000000000400000-0x0000000000448000-memory.dmp