Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\system32\regsvr32.exe	N/A

Registers COM server for autorun

persistence

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment"	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware

Description	Indicator	Process	Target
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	C:\Windows\system32\regsvr32.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1"	C:\Windows\system32\regsvr32.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep"	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep"	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anD	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suRf	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.dll"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\surf and! keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2240 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2276 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 2668 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe

System policy modification

evasion

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

MD5	6223a19e77e3b9b4f633e8863ee1cf40
SHA1	ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256	d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512	66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat

MD5	99df1dab85dd4b568804cf7123ecef54
SHA1	199ab77160bb3030b6ff57517b5cf318b1831cc9
SHA256	9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890
SHA512	31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll

MD5	9afeb7fa65aa31c6b871237d14a8fb94
SHA1	58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256	4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512	311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb

MD5	9f260bfcd1ef83627ceb2792ee3324f5
SHA1	078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256	8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512	3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll

MD5	410bb7e2c88f92de31b83a173e173e2d
SHA1	ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256	afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512	d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 00:50

Reported

2024-06-03 00:53

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\system32\regsvr32.exe	N/A

Registers COM server for autorun

persistence

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment"	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware

Description	Indicator	Process	Target
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	C:\Windows\system32\regsvr32.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1"	C:\Windows\system32\regsvr32.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.dll"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.tlb"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19"	C:\Windows\system32\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	C:\Windows\system32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	C:\Windows\system32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2548 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2548 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 2548 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 4644 wrote to memory of 4736	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4644 wrote to memory of 4736	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4644 wrote to memory of 4736	N/A	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4736 wrote to memory of 3336	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe
PID 4736 wrote to memory of 3336	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\regsvr32.exe

System policy modification

evasion

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1"	C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	104.219.191.52.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	13.107.253.67:443		tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	14.173.189.20.in-addr.arpa	udp

Files

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

MD5	6223a19e77e3b9b4f633e8863ee1cf40
SHA1	ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256	d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512	66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat

MD5	99df1dab85dd4b568804cf7123ecef54
SHA1	199ab77160bb3030b6ff57517b5cf318b1831cc9
SHA256	9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890
SHA512	31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll

MD5	9afeb7fa65aa31c6b871237d14a8fb94
SHA1	58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256	4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512	311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb

MD5	9f260bfcd1ef83627ceb2792ee3324f5
SHA1	078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256	8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512	3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll

MD5	410bb7e2c88f92de31b83a173e173e2d
SHA1	ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256	afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512	d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Sample ID	240603-a7b55sdc2y
Target	90039c975ddc2e891b50aae18bed6a65_JaffaCakes118
SHA256	15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd
Tags	adware discovery persistence stealer

Malware Analysis Report

2024-07-28 05:18

Table of Contents

Analysis Overview

Threat Level: Shows suspicious behavior

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files