Malware Analysis Report

2025-01-18 21:40

Sample ID 240415-vtflmadh9w
Target f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118
SHA256 e73827d3293d3634e99721d2aebff884b6bd0b0dc05ee3207979fc2f905157ab
Tags
adware persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e73827d3293d3634e99721d2aebff884b6bd0b0dc05ee3207979fc2f905157ab

Threat Level: Likely malicious

The file f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware persistence stealer

Sets file execution options in registry

Loads dropped DLL

Checks computer location settings

Installs/modifies Browser Helper Object

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 17:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 17:16

Reported

2024-04-15 17:19

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmon_oq.exe" C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\IExplore = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ctfmon_oq.exe C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\xwr36280.dll C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\ = "LIB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID\ = "D.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 2180 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr36280.dll

C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

Network

N/A

Files

C:\Windows\SysWOW64\xwr36280.dll

MD5 54fc7ad34a3992ad54f2de2888e61b91
SHA1 ffca58cc2ceb6e66165243e249dbc7901a422a81
SHA256 4fcc806368134bf266a6c76c9f6106db411699e80bcee350c91c82f24b2d4df8
SHA512 057cbeb613c61639222930284443e070cc7e53fa07891b73b84c89f5e378265250e2a08f3e525fc37169d227a34c101cc55d24d74e50eb49494eee9a133c1759

memory/2556-3-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-5-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-8-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-10-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-12-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-14-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-16-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2556-20-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-22-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-23-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-24-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2556-25-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2556-26-0x0000000000400000-0x0000000000597000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 17:16

Reported

2024-04-15 17:19

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmon_oq.exe" C:\Windows\SysWOW64\regsvr32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\IExplore = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xwr36280.dll C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ctfmon_oq.exe C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID\ = "D.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\ = "LIB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3472 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3472 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
PID 3472 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr36280.dll

C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp

Files

C:\Windows\SysWOW64\xwr36280.dll

MD5 54fc7ad34a3992ad54f2de2888e61b91
SHA1 ffca58cc2ceb6e66165243e249dbc7901a422a81
SHA256 4fcc806368134bf266a6c76c9f6106db411699e80bcee350c91c82f24b2d4df8
SHA512 057cbeb613c61639222930284443e070cc7e53fa07891b73b84c89f5e378265250e2a08f3e525fc37169d227a34c101cc55d24d74e50eb49494eee9a133c1759

memory/4760-3-0x0000000000400000-0x0000000000597000-memory.dmp

memory/4760-5-0x0000000000400000-0x0000000000597000-memory.dmp

memory/4760-7-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4760-8-0x0000000000400000-0x0000000000597000-memory.dmp

memory/4760-9-0x0000000000400000-0x0000000000597000-memory.dmp

memory/4760-10-0x0000000000400000-0x0000000000597000-memory.dmp