Malware Analysis Report

2024-10-19 10:47

Sample ID 240620-j2k1jaxdla
Target 04402045a46aa7c1a46adf17c775d84d_JaffaCakes118
SHA256 60b38c6d54bca68644290a535ab81bdd9c87b2eeb65c94bc79a359184065b77b
Tags
adware defense_evasion persistence privilege_escalation stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

60b38c6d54bca68644290a535ab81bdd9c87b2eeb65c94bc79a359184065b77b

Threat Level: Likely malicious

The file 04402045a46aa7c1a46adf17c775d84d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware defense_evasion persistence privilege_escalation stealer

Event Triggered Execution: AppInit DLLs

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:09

Reported

2024-06-20 08:12

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VIDEO C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drvhive.ocx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\log.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\webmin\vmmreg32.bkp C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll

Network

N/A

Files

C:\Windows\SysWOW64\log.txt

MD5 02218b214eee5cf817eceac2ec8dcd6b
SHA1 f01ca4a167ca340fff4bddd56db61580a55d7a9e
SHA256 d225516032a31f6f883202384bd8553b5b76b05be8bc38e9e42e23fdf5a22b14
SHA512 1b01ba74d10ed0eb7a9e11a35d46f62eeeda39c802fbf4916c6f0bc57aa54407984a525ec18090380da0dbaf55f38a46b9433dacfe117645648d24618c423082

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:09

Reported

2024-06-20 08:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VIDEO C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\log.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\webmin\vmmreg32.bkp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\drvhive.ocx C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 1920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 1920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 1920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\04402045a46aa7c1a46adf17c775d84d_JaffaCakes118.dll

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

C:\Windows\SysWOW64\log.txt

MD5 b16b1939a07b21f11ebe240e83b1c029
SHA1 595c12903be8a63da31b1d470943e28dca8d5777
SHA256 22e1baf11bc1ab4b6c97f97b09178b0ff71a122969949945a1591b0ee8da8e8f
SHA512 848af880307b64d034b28d09f300e464aec70666389f1bf5e4ce1731e3297c68265708975692c9b83d79583d2cde937b07dc312f4d8d0e98aa8d0bb6de91e9ac

C:\Windows\SysWOW64\log.txt

MD5 bc27128d3daf8f426034c2492c299e90
SHA1 4034502da3842d10e3f72db356b4e1df813a618d
SHA256 3ac89ef872500e6b97eda5f0c62a3c3bca50b2bf0d958de1789eb6d9443722df
SHA512 3af3a6be5022ea535831f8ce2d519b11c0be3d95b702ba2430de142b2b1332a1ba72a7a782e4092f5e64cdf65cafeec23c3fad222f126cb74dd424a83fcfdc88