Analysis Overview
SHA256
bd6e8fd974a4bf07f010c83eecbb4e0152e9ca71f7a086438e12efb0bcb6b9f4
Threat Level: Shows suspicious behavior
The file 03c6ebd010f0407514625518ee545863_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 06:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 06:49
Reported
2024-06-20 06:52
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFE-75AD-4E52-AB43-E09E9351CE17} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ = "AdPopup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\PushWare\Uninst.exe | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\PushWare\cpush.dll | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "NewCosoMediumPop.PopCoso" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "NewCosoMediumPop.PopCoso.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\VersionIndependentProgID\ = "NexwAdPopup.AWLogic" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\ = "CAdLogic Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CurVer\ = "NexwAdPopup.AWLogic.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\ = "CAdLogic Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
Network
Files
C:\Program Files (x86)\Common Files\PushWare\cpush.dll
| MD5 | a66cacb7947b94dff2acc14aab607266 |
| SHA1 | a7c627a114b44071831b3cfecb9d3328b7e6a51e |
| SHA256 | 567887e104611e6a3c9d593e5cfdf326e449462b31745999e27001d269a647e5 |
| SHA512 | 1250a8eab2f382c8bafbca1cbe12590a7911cae89264457e721d7fcea97fa12641ff6ecb2ae336bcb0a99f457cb364e3cb1e54ed03dca0fc8ccb9d5b180aa8bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 06:49
Reported
2024-06-20 06:52
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
58s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFE-75AD-4E52-AB43-E09E9351CE17} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ = "AdPopup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\PushWare\Uninst.exe | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\PushWare\cpush.dll | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "NewCosoMediumPop.PopCoso" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CLSID\ = "{11F09AFE-75AD-4E52-AB43-E09E9351CE17}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\ = "CAdLogic Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\CLSID\ = "{11F09AFE-75AD-4E52-AB43-E09E9351CE17}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\ = "CPopupBlock Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\ = "CAdLogic Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CurVer\ = "NexwAdPopup.AWLogic.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer\ = "NewAdPopup.ToolbarDetector.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3288 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3288 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3288 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c6ebd010f0407514625518ee545863_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Program Files (x86)\Common Files\PushWare\cpush.dll
| MD5 | a66cacb7947b94dff2acc14aab607266 |
| SHA1 | a7c627a114b44071831b3cfecb9d3328b7e6a51e |
| SHA256 | 567887e104611e6a3c9d593e5cfdf326e449462b31745999e27001d269a647e5 |
| SHA512 | 1250a8eab2f382c8bafbca1cbe12590a7911cae89264457e721d7fcea97fa12641ff6ecb2ae336bcb0a99f457cb364e3cb1e54ed03dca0fc8ccb9d5b180aa8bb |