Analysis Overview
SHA256
1192713284f0125f9ae1488fc0019c0c2238c891be17a34b3c2a420507f20921
Threat Level: Shows suspicious behavior
The file 012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Deletes itself
Loads dropped DLL
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:04
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:04
Reported
2024-06-22 04:06
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
Drops file in System32 directory
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\Programmable | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR\ = "C:\\Windows\\system32" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ = "C:\\Windows\\SysWow64\\spria.dll" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\ = "ORBb 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID\ = "ORB.ta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID\ = "ORB.ta.1" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer\ = "ORB.ta.1" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\spria.dll" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\945d92f9f5b13e5415e84c6c776d2f45.bat
Network
Files
memory/1636-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\945d92f9f5b13e5415e84c6c776d2f45.bat
| MD5 | 21b9e299c368c63447d3153df9d4c842 |
| SHA1 | e5e522d87e91e481e0fe936092bd43eefeb52179 |
| SHA256 | 81001586b43245734105e316a11c799fec4d25cf8387f69afd6624937db6829d |
| SHA512 | b904179c9e26138e24dede8cd6d4239cf680d66bce793eb3403df5686d2ebc4e38f58008762631da346acdb4b1f142dde71d0b9af5e00e87abc65299029c8823 |
memory/1636-8-0x0000000000230000-0x0000000000252000-memory.dmp
memory/1636-10-0x0000000000400000-0x0000000000422000-memory.dmp
\Windows\SysWOW64\spria.dll
| MD5 | 716bf567a89ae8270c65f52638b006b6 |
| SHA1 | b589f72e700be7926c31e78778d3c09c14e4fcee |
| SHA256 | 834ef8f2cee08239349e30880c64905818bb9d8b86af3f9c29767e26669cfb87 |
| SHA512 | 93524267ca32a6d6996d752ffdd358356c5a0138f2dde5ce87cfb11b65ce9c4ff3746a12acf53a902dd44fa7d550ae5e2640a6d0f757e2b7c248bd672d3a9b66 |
memory/1636-14-0x0000000010000000-0x0000000010029000-memory.dmp
memory/1636-18-0x0000000000230000-0x0000000000252000-memory.dmp
memory/1636-17-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:04
Reported
2024-06-22 04:06
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
Drops file in System32 directory
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32\ = "C:\\Windows\\SysWow64\\spria.dll" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\Programmable | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\CLSID\ = "{ADA8C222-95D2-47B5-950B-AEBC0A508839}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CLSID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ = "IORBob" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta\CurVer\ = "ORB.ta.1" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839} | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID\ = "ORB.ta.1" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\TypeLib\ = "{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\ = "ORBb 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR\ = "C:\\Windows\\system32" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ORB.ta.1\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ = "ORBta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\ProgID | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\VersionIndependentProgID\ = "ORB.ta" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADA8C222-95D2-47B5-950B-AEBC0A508839}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\spria.dll" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21EEB010-57F3-11DD-B116-DAD055D89593}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1836 wrote to memory of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1836 wrote to memory of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012df06970bf9c6ae2c9a7a401124a5e_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b28fc2762c5427941da36496d219f1f8.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1836-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b28fc2762c5427941da36496d219f1f8.bat
| MD5 | 941b8d0c5925cc2cd83d4f9d0058f3d0 |
| SHA1 | b9a3ddbc0f90029793779e5d64fa731d582ee738 |
| SHA256 | a1ed134b96a6ef17c1d221323e6fa978dd449f542712baf50c6ef9ec4d714b8d |
| SHA512 | b6f94699383d1070a2a22e8c7f2c52ca02bc730e65a76a34ddd9deffe8bd0e302bd267d9d304be661bf505d522671e31d31386626f2573898c2a5212ed42cf3f |
memory/1836-4-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Windows\SysWOW64\spria.dll
| MD5 | 716bf567a89ae8270c65f52638b006b6 |
| SHA1 | b589f72e700be7926c31e78778d3c09c14e4fcee |
| SHA256 | 834ef8f2cee08239349e30880c64905818bb9d8b86af3f9c29767e26669cfb87 |
| SHA512 | 93524267ca32a6d6996d752ffdd358356c5a0138f2dde5ce87cfb11b65ce9c4ff3746a12acf53a902dd44fa7d550ae5e2640a6d0f757e2b7c248bd672d3a9b66 |
memory/1836-9-0x0000000010000000-0x0000000010029000-memory.dmp
memory/1836-12-0x0000000000400000-0x0000000000422000-memory.dmp