Malware Analysis Report

2025-01-18 22:27

Sample ID 240504-x4jgdabc65
Target 14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118
SHA256 2397b65795c70297e23da3bdaf94cc9ce48f46d071634d106a7b9011cb9cba21
Tags
adware discovery persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2397b65795c70297e23da3bdaf94cc9ce48f46d071634d106a7b9011cb9cba21

Threat Level: Shows suspicious behavior

The file 14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence stealer

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 19:24

Reported

2024-05-04 19:26

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.dll C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.dll C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.tlb C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.tlb C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.dat C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.dat C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CurVer\ = "ssafewEb.1.1" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb.1.1\CLSID\ = "{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.tlb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb.1.1\CLSID C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CurVer C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\saFewEb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.dll" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\ = "saFewEb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CLSID C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID\ = "ssafewEb.1.1" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb.1.1\ = "saFewEb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID\ = "ssafewEb.1.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\VersionIndependentProgID\ = "ssafewEb" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} = "1" C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe

"C:\Users\Admin\AppData\Local\Temp/152970b4/W9jnissJiY.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.exe

MD5 18c75d6e6235019d9d92dd51ff43cc3b
SHA1 43a8d282ea4e1b4f93df8d658fa5f82ba867c63b
SHA256 6fa174fac7057197989781c0e04e76f326e424e75685b12af12d293934e16335
SHA512 deffac9f5605d3ddc9cdc1eb276802be7975dda1af6bdf6d5eb5ff6dece6208ae7af50ad2af5ceeadf17091270aa34a957a8d9ca676b3cf037f0bc6e181dc1fd

C:\Users\Admin\AppData\Local\Temp\152970b4\W9jnissJiY.dat

MD5 1a68c28d6ff3066627ec1199579b655b
SHA1 ea0ef060d1fc467ca652ca9a86335e1466234547
SHA256 d050f17f46d4a2a5edca5fa80c48c30edeb9647b1f8495e6efb68225b94f492a
SHA512 822fcb3576322261aacc7b07d56b635a8d7eaa2da58fe78347bfefa7961cabcc373af85ad9a599a421ee551530ac27eb6b2e8850bb5577c0993a129089475f9c

C:\Users\Admin\AppData\Local\Temp\152970b4\t2rUn2elu.dll

MD5 ffe3f0c62f2fede9890b18d73724fd97
SHA1 0dafa42039405f8d49a6790180194076bd57c833
SHA256 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA512 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

C:\Users\Admin\AppData\Local\Temp\152970b4\t2rUn2elu.tlb

MD5 8d10c52cfa044ccdcfff4e0b5775babd
SHA1 3b2c872ab3237d7b74377032ed7a5239c82df766
SHA256 af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

C:\Users\Admin\AppData\Local\Temp\152970b4\t2rUn2elu.x64.dll

MD5 0231aebb8155fd069d17eab6a679cc1e
SHA1 61cb4b5228e6253863391ef3346c2f9920dbc554
SHA256 fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA512 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 19:24

Reported

2024-05-04 19:27

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.dll C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.dll C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.tlb C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.tlb C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.dat C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.dat C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File created C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
File opened for modification C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID\ = "ssafewEb.1.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.dll" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\ = "saFewEb" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ProgID\ = "ssafewEb.1.1" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb.1.1\CLSID\ = "{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.dll" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CLSID\ = "{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\ = "saFewEb" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb.1.1\CLSID\ = "{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CLSID\ = "{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CurVer C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.tlb" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\saFewEb" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb.1.1\ = "saFewEb" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Programmable C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CurVer\ = "ssafewEb.1.1" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\InprocServer32\ = "C:\\Program Files (x86)\\saFewEb\\t2rUn2elu.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssafewEb.ssafewEb\CLSID C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe
PID 1760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe
PID 1760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe
PID 1760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2428 wrote to memory of 3060 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{36A58CEB-FD97-F372-8CC5-1CED259AFD6B} = "1" C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\14254cfbbeed48ab0123d3c0fc38d1d9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe

"C:\Users\Admin\AppData\Local\Temp/3e232450/W9jnissJiY.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\saFewEb\t2rUn2elu.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.exe

MD5 18c75d6e6235019d9d92dd51ff43cc3b
SHA1 43a8d282ea4e1b4f93df8d658fa5f82ba867c63b
SHA256 6fa174fac7057197989781c0e04e76f326e424e75685b12af12d293934e16335
SHA512 deffac9f5605d3ddc9cdc1eb276802be7975dda1af6bdf6d5eb5ff6dece6208ae7af50ad2af5ceeadf17091270aa34a957a8d9ca676b3cf037f0bc6e181dc1fd

C:\Users\Admin\AppData\Local\Temp\3e232450\W9jnissJiY.dat

MD5 1a68c28d6ff3066627ec1199579b655b
SHA1 ea0ef060d1fc467ca652ca9a86335e1466234547
SHA256 d050f17f46d4a2a5edca5fa80c48c30edeb9647b1f8495e6efb68225b94f492a
SHA512 822fcb3576322261aacc7b07d56b635a8d7eaa2da58fe78347bfefa7961cabcc373af85ad9a599a421ee551530ac27eb6b2e8850bb5577c0993a129089475f9c

C:\Users\Admin\AppData\Local\Temp\3e232450\t2rUn2elu.tlb

MD5 8d10c52cfa044ccdcfff4e0b5775babd
SHA1 3b2c872ab3237d7b74377032ed7a5239c82df766
SHA256 af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

C:\Users\Admin\AppData\Local\Temp\3e232450\t2rUn2elu.dll

MD5 ffe3f0c62f2fede9890b18d73724fd97
SHA1 0dafa42039405f8d49a6790180194076bd57c833
SHA256 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA512 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

C:\Users\Admin\AppData\Local\Temp\3e232450\t2rUn2elu.x64.dll

MD5 0231aebb8155fd069d17eab6a679cc1e
SHA1 61cb4b5228e6253863391ef3346c2f9920dbc554
SHA256 fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA512 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434