Malware Analysis Report

2025-01-18 22:02

Sample ID 240622-em5n6sxckf
Target 012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118
SHA256 1192713284f0125f9ae1488fc0019c0c2238c891be17a34b3c2a420507f20921
Tags
upx adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1192713284f0125f9ae1488fc0019c0c2238c891be17a34b3c2a420507f20921

Threat Level: Shows suspicious behavior

The file 012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware stealer

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Deletes itself

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:04

Reported

2024-06-22 04:06

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ssa.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ppobo.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cunta.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spria.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gln.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kwpm.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bsm.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\spria.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\5ed5ed70c3f48191921704f05957a8a2.tmp C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\Programmable C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ = "C:\\Windows\\SysWow64\\spria.dll" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\ = "ORBb 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID\ = "ORB.ta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID\ = "ORB.ta.1" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer\ = "ORB.ta.1" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\spria.dll" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\945d92f9f5b13e5415e84c6c776d2f45.bat

Network

N/A

Files

memory/1636-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\945d92f9f5b13e5415e84c6c776d2f45.bat

MD5 21b9e299c368c63447d3153df9d4c842
SHA1 e5e522d87e91e481e0fe936092bd43eefeb52179
SHA256 81001586b43245734105e316a11c799fec4d25cf8387f69afd6624937db6829d
SHA512 b904179c9e26138e24dede8cd6d4239cf680d66bce793eb3403df5686d2ebc4e38f58008762631da346acdb4b1f142dde71d0b9af5e00e87abc65299029c8823

memory/1636-8-0x0000000000230000-0x0000000000252000-memory.dmp

memory/1636-10-0x0000000000400000-0x0000000000422000-memory.dmp

\Windows\SysWOW64\spria.dll

MD5 716bf567a89ae8270c65f52638b006b6
SHA1 b589f72e700be7926c31e78778d3c09c14e4fcee
SHA256 834ef8f2cee08239349e30880c64905818bb9d8b86af3f9c29767e26669cfb87
SHA512 93524267ca32a6d6996d752ffdd358356c5a0138f2dde5ce87cfb11b65ce9c4ff3746a12acf53a902dd44fa7d550ae5e2640a6d0f757e2b7c248bd672d3a9b66

memory/1636-14-0x0000000010000000-0x0000000010029000-memory.dmp

memory/1636-18-0x0000000000230000-0x0000000000252000-memory.dmp

memory/1636-17-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:04

Reported

2024-06-22 04:06

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spria.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gln.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cunta.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kwpm.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bsm.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ppobo.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spria.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\45da00bd145405968573e2880d41b742.tmp C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ssa.dll C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ = "C:\\Windows\\SysWow64\\spria.dll" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\Programmable C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer\ = "ORB.ta.1" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839} C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID\ = "ORB.ta.1" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\ = "ORBb 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID\ = "ORB.ta" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\spria.dll" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b28fc2762c5427941da36496d219f1f8.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1836-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b28fc2762c5427941da36496d219f1f8.bat

MD5 941b8d0c5925cc2cd83d4f9d0058f3d0
SHA1 b9a3ddbc0f90029793779e5d64fa731d582ee738
SHA256 a1ed134b96a6ef17c1d221323e6fa978dd449f542712baf50c6ef9ec4d714b8d
SHA512 b6f94699383d1070a2a22e8c7f2c52ca02bc730e65a76a34ddd9deffe8bd0e302bd267d9d304be661bf505d522671e31d31386626f2573898c2a5212ed42cf3f

memory/1836-4-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\SysWOW64\spria.dll

MD5 716bf567a89ae8270c65f52638b006b6
SHA1 b589f72e700be7926c31e78778d3c09c14e4fcee
SHA256 834ef8f2cee08239349e30880c64905818bb9d8b86af3f9c29767e26669cfb87
SHA512 93524267ca32a6d6996d752ffdd358356c5a0138f2dde5ce87cfb11b65ce9c4ff3746a12acf53a902dd44fa7d550ae5e2640a6d0f757e2b7c248bd672d3a9b66

memory/1836-9-0x0000000010000000-0x0000000010029000-memory.dmp

memory/1836-12-0x0000000000400000-0x0000000000422000-memory.dmp