Analysis Overview
score
7/10
SHA256
7cfc20261a718436a08a7b1789e2e75a2106e948b92b7a61b5a37b6e7252f538
Threat Level: Shows suspicious behavior
The file a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Checks whether UAC is enabled
Unsigned PE
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:41
Reported
2024-06-13 22:44
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
"C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe"
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f613fe0\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f613fe0\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f613fe0\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f613fe0\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f613fe0" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f613fe0\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe
"C:\Users\Admin\AppData\Local\Temp/1f613fe0/setup.exe" ProfileFileName=step0.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | r1.homebestmy.info | udp |
| US | 8.8.8.8:53 | r2.homebestmy.info | udp |
| US | 8.8.8.8:53 | c1.setepicnew.info | udp |
| US | 8.8.8.8:53 | c2.setepicnew.info | udp |
Files
\Users\Admin\AppData\Local\Temp\1f613fe0\setup.exe
| MD5 | c3bc99a2f410a5bede595c6a35aabc44 |
| SHA1 | cf513259f468b9b15d1749dbe60d215c0b76098c |
| SHA256 | 747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6 |
| SHA512 | ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3 |
C:\Users\Admin\AppData\Local\Temp\1f613fe0\installer\step0.ini
| MD5 | 8d5acf6af8d6ca3506556351cccafac1 |
| SHA1 | cb199c879146e77226f943fd4e16f18401a5aa25 |
| SHA256 | 57f133325dbefe0d37414e64857f7952307b7148147b3fbe022cb4f0c730376e |
| SHA512 | dd825bf4dc4f7283003821f61522bc655d50bb624abed54704cb910c0a5e62ddc63734d90a5122afeb97d5c46f9b9ecaabe60c7ef4ec6c5e7d5a4313a970edfa |
memory/2900-18-0x0000000000130000-0x0000000000131000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1f613fe0\installer\boot.dat
| MD5 | 82ff009dd3236db90393cead19bd2b16 |
| SHA1 | 3b9eab7281a500960d6598316db7b8299970d8ba |
| SHA256 | 0f1d6e066ebc9ed29cc2f194fad5091431a57eb85e13fdd19d1c8881c9402e71 |
| SHA512 | 47bc6609654812719030e470f949b2af139346937cb689d078de731d57278f2743da5a1cf2dd71bbadb47251be7e5b784c429ba2769559e2d4dcddc978fbe8f1 |
C:\Users\Admin\AppData\Local\Temp\1f613fe0\installer\installer.dat
| MD5 | 298dc9fe1774bad46acae8aec86b8a40 |
| SHA1 | f9f5564461b94e309043e2c555b645fdb69611b0 |
| SHA256 | ceee1f89c72361136d3c7f884c9a54ccf3e99aa25fbc0aeef4c79c9f1e38307e |
| SHA512 | a47c66bd350774b0932a42062952e9cd260daf0cf4b6a2f5ce886a24e592bb113aaa0d386c712d7a63ef3070f85540a8125579a524269091684e59ccc601f2eb |
C:\Users\Admin\AppData\Local\Temp\1f613fe0\installer\installer-config.dat
| MD5 | 26346960decad3a50d16370897784854 |
| SHA1 | a2a5986399f33bd62cd15757895475f818291302 |
| SHA256 | e6283313fa634034a1251471b5517fa9264c55f1e8008af103dbb13242dcc88f |
| SHA512 | 1344d6c3201e33ff26063c58b2030b1b16fb8bcab951caa9bfe9cce4c09d190881705a7eafccc6ccfe0bdf1abf71ae360ea3e3ef10ee6ef0cfaf0eb1aba39e54 |
C:\Users\Admin\AppData\Local\Temp\1f613fe0\installer\new-screen.dat
| MD5 | ff3ac2ce15df8c6e09677fff184dd67e |
| SHA1 | a9b938df0cb6338c557c118766e25acc97bcf1f8 |
| SHA256 | ae780c4499c3560092e6b5bcbf4ae596f7b0df3e77d0d3cb3eeb33b54eeb2dfe |
| SHA512 | a7fdd31a34c45d608f99afb06c9ac54c2218603f1d3828af13a0060e19f2d4903ddc253f3209455acff7459679e3514cade3289e21c1f3f598a07b7e8e361ad0 |
C:\Users\Admin\AppData\Local\Temp\1f613fe0\installer\step0.ini
| MD5 | ff61d36bcfe0a044c565530b5816daae |
| SHA1 | 9c47d7013a699ec23e5a70aaac6c6b74029dd556 |
| SHA256 | 9685c8b62a71917d02f7a7aa38ea8530d3f7a22e74e99690bc562815ffac7c4e |
| SHA512 | b8d9137e8d199c05991ddaeb88f377918ebbe8076cbc8a04ccf0d67298219d06f51bf621ab246cef8f9025456fc0c79dfa4d040f38291b983191e28c0a6a39a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:41
Reported
2024-06-13 22:44
Platform
win10v2004-20240508-en
Max time kernel
80s
Max time network
100s
Command Line
"C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe"
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f120a31\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f120a31\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f120a31\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f120a31\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f120a31\\setup.exe" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f120a31" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe |
| PID 2984 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe |
| PID 2984 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6f171ff22a6c34a8d0d15e51e6b254f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe
"C:\Users\Admin\AppData\Local\Temp/2f120a31/setup.exe" ProfileFileName=step0.ini
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\2f120a31\setup.exe
| MD5 | c3bc99a2f410a5bede595c6a35aabc44 |
| SHA1 | cf513259f468b9b15d1749dbe60d215c0b76098c |
| SHA256 | 747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6 |
| SHA512 | ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3 |
C:\Users\Admin\AppData\Local\Temp\2f120a31\installer\step0.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2720-16-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2f120a31\installer\boot.dat
| MD5 | 82ff009dd3236db90393cead19bd2b16 |
| SHA1 | 3b9eab7281a500960d6598316db7b8299970d8ba |
| SHA256 | 0f1d6e066ebc9ed29cc2f194fad5091431a57eb85e13fdd19d1c8881c9402e71 |
| SHA512 | 47bc6609654812719030e470f949b2af139346937cb689d078de731d57278f2743da5a1cf2dd71bbadb47251be7e5b784c429ba2769559e2d4dcddc978fbe8f1 |
memory/2720-19-0x0000000000CB0000-0x0000000000CB1000-memory.dmp