Malware Analysis Report

2024-09-11 13:19

Sample ID 240613-3bhbhavdqe
Target a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118
SHA256 240eb95bdcbaaea23c78ad897268933029656db302374e574adfd0edb0e48310
Tags
evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

240eb95bdcbaaea23c78ad897268933029656db302374e574adfd0edb0e48310

Threat Level: Shows suspicious behavior

The file a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion persistence trojan

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Checks whether UAC is enabled

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:20

Reported

2024-06-13 23:22

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\248f562d\\setup.exe" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\248f562d\\setup.exe" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\248f562d" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\248f562d\\setup.exe" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\248f562d\\setup.exe" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\248f562d\\setup.exe" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0 C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class" C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe
PID 2972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\248f562d\setup.exe

"C:\Users\Admin\AppData\Local\Temp/248f562d/setup.exe" ProfileFileName=step0.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 r1.homebestmy.info udp
US 8.8.8.8:53 r1.homebestmy.info udp
US 8.8.8.8:53 r2.homebestmy.info udp
US 8.8.8.8:53 r2.homebestmy.info udp
US 8.8.8.8:53 c1.setepicnew.info udp
US 8.8.8.8:53 c1.setepicnew.info udp
US 8.8.8.8:53 c2.setepicnew.info udp
US 8.8.8.8:53 c2.setepicnew.info udp
US 8.8.8.8:53 c1.setepicnew.info udp
US 8.8.8.8:53 c1.setepicnew.info udp
US 8.8.8.8:53 c1.setepicnew.info udp
US 8.8.8.8:53 c1.setepicnew.info udp
US 8.8.8.8:53 c2.setepicnew.info udp

Files

\Users\Admin\AppData\Local\Temp\248f562d\setup.exe

MD5 c3bc99a2f410a5bede595c6a35aabc44
SHA1 cf513259f468b9b15d1749dbe60d215c0b76098c
SHA256 747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6
SHA512 ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3

C:\Users\Admin\AppData\Local\Temp\248f562d\installer\step0.ini

MD5 78497ab32c0a8e2de6b1fb7083ad3d27
SHA1 2abe1f3e863cb0942b9b5e4c45ac5337824fe9ef
SHA256 95235def7a6189245e22b855bb889b4c9d4c156c091320a3399f4647c2104eb5
SHA512 0927e5afe02a14c02891724ccd50df88ed30df89cdd869c028e65265ea8d03f3e4e0595c1f7b44067595f6c92fecf2556a829a63438fadc05b454bc3497e06b6

memory/2648-18-0x0000000000190000-0x0000000000191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\248f562d\installer\boot.dat

MD5 82ff009dd3236db90393cead19bd2b16
SHA1 3b9eab7281a500960d6598316db7b8299970d8ba
SHA256 0f1d6e066ebc9ed29cc2f194fad5091431a57eb85e13fdd19d1c8881c9402e71
SHA512 47bc6609654812719030e470f949b2af139346937cb689d078de731d57278f2743da5a1cf2dd71bbadb47251be7e5b784c429ba2769559e2d4dcddc978fbe8f1

C:\Users\Admin\AppData\Local\Temp\248f562d\installer\installer.dat

MD5 298dc9fe1774bad46acae8aec86b8a40
SHA1 f9f5564461b94e309043e2c555b645fdb69611b0
SHA256 ceee1f89c72361136d3c7f884c9a54ccf3e99aa25fbc0aeef4c79c9f1e38307e
SHA512 a47c66bd350774b0932a42062952e9cd260daf0cf4b6a2f5ce886a24e592bb113aaa0d386c712d7a63ef3070f85540a8125579a524269091684e59ccc601f2eb

C:\Users\Admin\AppData\Local\Temp\248f562d\installer\installer-config.dat

MD5 26346960decad3a50d16370897784854
SHA1 a2a5986399f33bd62cd15757895475f818291302
SHA256 e6283313fa634034a1251471b5517fa9264c55f1e8008af103dbb13242dcc88f
SHA512 1344d6c3201e33ff26063c58b2030b1b16fb8bcab951caa9bfe9cce4c09d190881705a7eafccc6ccfe0bdf1abf71ae360ea3e3ef10ee6ef0cfaf0eb1aba39e54

C:\Users\Admin\AppData\Local\Temp\248f562d\installer\new-screen.dat

MD5 ff3ac2ce15df8c6e09677fff184dd67e
SHA1 a9b938df0cb6338c557c118766e25acc97bcf1f8
SHA256 ae780c4499c3560092e6b5bcbf4ae596f7b0df3e77d0d3cb3eeb33b54eeb2dfe
SHA512 a7fdd31a34c45d608f99afb06c9ac54c2218603f1d3828af13a0060e19f2d4903ddc253f3209455acff7459679e3514cade3289e21c1f3f598a07b7e8e361ad0

memory/2648-25-0x0000000000190000-0x0000000000191000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:20

Reported

2024-06-13 23:22

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fbf0dcd\\setup.exe" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fbf0dcd\\setup.exe" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fbf0dcd\\setup.exe" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fbf0dcd\\setup.exe" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fbf0dcd" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fbf0dcd\\setup.exe" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe
PID 3096 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe
PID 3096 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7145cbe9cf3be98ed711d6ecd5d3f83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe

"C:\Users\Admin\AppData\Local\Temp/0fbf0dcd/setup.exe" ProfileFileName=step0.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\setup.exe

MD5 c3bc99a2f410a5bede595c6a35aabc44
SHA1 cf513259f468b9b15d1749dbe60d215c0b76098c
SHA256 747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6
SHA512 ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3

C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\installer\step0.ini

MD5 61ddd12ea884e660858c7140a9f27eb9
SHA1 f0cd6daeece246153bb6e3f571986ad09badb8eb
SHA256 f17a6a5f158fde22e9dbee214a011ce14fabeeb3962557160df78ca85e3cc1e8
SHA512 b2db483b3ca665992851b6e7ec094272533bec53796774571ed1ddc865e6db4d72e6bebbbc57eef168e1af5ed1377e0e571f27468361cc957873094dd69c265b

memory/2288-16-0x0000000001470000-0x0000000001471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0fbf0dcd\installer\boot.dat

MD5 82ff009dd3236db90393cead19bd2b16
SHA1 3b9eab7281a500960d6598316db7b8299970d8ba
SHA256 0f1d6e066ebc9ed29cc2f194fad5091431a57eb85e13fdd19d1c8881c9402e71
SHA512 47bc6609654812719030e470f949b2af139346937cb689d078de731d57278f2743da5a1cf2dd71bbadb47251be7e5b784c429ba2769559e2d4dcddc978fbe8f1

memory/2288-19-0x0000000001470000-0x0000000001471000-memory.dmp