Analysis Overview
SHA256
e73827d3293d3634e99721d2aebff884b6bd0b0dc05ee3207979fc2f905157ab
Threat Level: Likely malicious
The file f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Sets file execution options in registry
Loads dropped DLL
Checks computer location settings
Installs/modifies Browser Helper Object
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 17:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 17:16
Reported
2024-04-15 17:19
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmon_oq.exe" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\IExplore = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ctfmon_oq.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\xwr36280.dll | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2180 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\ = "LIB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID\ = "D.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr36280.dll
C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
Network
Files
C:\Windows\SysWOW64\xwr36280.dll
| MD5 | 54fc7ad34a3992ad54f2de2888e61b91 |
| SHA1 | ffca58cc2ceb6e66165243e249dbc7901a422a81 |
| SHA256 | 4fcc806368134bf266a6c76c9f6106db411699e80bcee350c91c82f24b2d4df8 |
| SHA512 | 057cbeb613c61639222930284443e070cc7e53fa07891b73b84c89f5e378265250e2a08f3e525fc37169d227a34c101cc55d24d74e50eb49494eee9a133c1759 |
memory/2556-3-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-5-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-8-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-10-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-12-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-14-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-16-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2556-20-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-22-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-23-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-24-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2556-25-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2556-26-0x0000000000400000-0x0000000000597000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 17:16
Reported
2024-04-15 17:19
Platform
win10v2004-20240412-en
Max time kernel
92s
Max time network
117s
Command Line
Signatures
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmon_oq.exe" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\IExplore = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\xwr36280.dll | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ctfmon_oq.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3472 set thread context of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ProgID\ = "D.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr36280.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74780CC4-AE34-3DE1-91B4-B5FD459DCB1E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\ = "LIB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\ = "{E55E5353-AFB2-3DC3-AD89-057C785EFA93}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2F98FA-FEC9-3983-8404-941DC7E74100}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E55E5353-AFB2-3DC3-AD89-057C785EFA93}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr36280.dll
C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f19360fb94f2e1e3841cdfc6dbc5fa2f_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\xwr36280.dll
| MD5 | 54fc7ad34a3992ad54f2de2888e61b91 |
| SHA1 | ffca58cc2ceb6e66165243e249dbc7901a422a81 |
| SHA256 | 4fcc806368134bf266a6c76c9f6106db411699e80bcee350c91c82f24b2d4df8 |
| SHA512 | 057cbeb613c61639222930284443e070cc7e53fa07891b73b84c89f5e378265250e2a08f3e525fc37169d227a34c101cc55d24d74e50eb49494eee9a133c1759 |
memory/4760-3-0x0000000000400000-0x0000000000597000-memory.dmp
memory/4760-5-0x0000000000400000-0x0000000000597000-memory.dmp
memory/4760-7-0x0000000002400000-0x0000000002401000-memory.dmp
memory/4760-8-0x0000000000400000-0x0000000000597000-memory.dmp
memory/4760-9-0x0000000000400000-0x0000000000597000-memory.dmp
memory/4760-10-0x0000000000400000-0x0000000000597000-memory.dmp