Analysis Overview
SHA256
60b38c6d54bca68644290a535ab81bdd9c87b2eeb65c94bc79a359184065b77b
Threat Level: Likely malicious
The file 04402045a46aa7c1a46adf17c775d84d_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: AppInit DLLs
Impair Defenses: Safe Mode Boot
Adds Run key to start application
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 08:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 08:09
Reported
2024-06-20 08:12
Platform
win7-20240611-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VIDEO | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drvhive.ocx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\log.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\webmin\vmmreg32.bkp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2096 wrote to memory of 1664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll
Network
Files
C:\Windows\SysWOW64\log.txt
| MD5 | 02218b214eee5cf817eceac2ec8dcd6b |
| SHA1 | f01ca4a167ca340fff4bddd56db61580a55d7a9e |
| SHA256 | d225516032a31f6f883202384bd8553b5b76b05be8bc38e9e42e23fdf5a22b14 |
| SHA512 | 1b01ba74d10ed0eb7a9e11a35d46f62eeeda39c802fbf4916c6f0bc57aa54407984a525ec18090380da0dbaf55f38a46b9433dacfe117645648d24618c423082 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 08:09
Reported
2024-06-20 08:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VIDEO | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\log.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\webmin\vmmreg32.bkp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\drvhive.ocx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 1920 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3016 wrote to memory of 1920 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3016 wrote to memory of 1920 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
C:\Windows\SysWOW64\log.txt
| MD5 | b16b1939a07b21f11ebe240e83b1c029 |
| SHA1 | 595c12903be8a63da31b1d470943e28dca8d5777 |
| SHA256 | 22e1baf11bc1ab4b6c97f97b09178b0ff71a122969949945a1591b0ee8da8e8f |
| SHA512 | 848af880307b64d034b28d09f300e464aec70666389f1bf5e4ce1731e3297c68265708975692c9b83d79583d2cde937b07dc312f4d8d0e98aa8d0bb6de91e9ac |
C:\Windows\SysWOW64\log.txt
| MD5 | bc27128d3daf8f426034c2492c299e90 |
| SHA1 | 4034502da3842d10e3f72db356b4e1df813a618d |
| SHA256 | 3ac89ef872500e6b97eda5f0c62a3c3bca50b2bf0d958de1789eb6d9443722df |
| SHA512 | 3af3a6be5022ea535831f8ce2d519b11c0be3d95b702ba2430de142b2b1332a1ba72a7a782e4092f5e64cdf65cafeec23c3fad222f126cb74dd424a83fcfdc88 |