Analysis Overview
SHA256
15608aa75a68cc98edfd53d5a892f0d8ba12d5ab9cf44e528e7c07f9777ec9c1
Threat Level: Shows suspicious behavior
The file 012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Installs/modifies Browser Helper Object
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:05
Reported
2024-06-22 04:08
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639}\IExplore = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\xwr43929.dll | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\xa259399975.exe | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\xa259400162.exe | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xa259400162.exe | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\wr43929.dll | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\ = "LIB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\xa259399975.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe"
C:\Windows\SysWOW64\xa259399975.exe
"C:\Windows\system32\xa259399975.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr43929.dll
Network
Files
C:\Windows\SysWOW64\xa259399975.exe
| MD5 | 2c12b7fd19315d35f32a7fa0bd9625ac |
| SHA1 | 3e0f7f24a7c3b327592ec18844ae4b9fc6b18798 |
| SHA256 | 67dfca880f86278ce821a1f50cb4d10aea05d15f0e33e40e5b5e1b11bdfa6c29 |
| SHA512 | 251ea231580f0d4d0d0acb62d2c6ce393aa06a7cbd39152754c8f7dac3cf448cb871b1381da5e07a7a64bdaa689e6ca7c22fa82ed3437ff2de8c82d9f4969d92 |
memory/2000-21-0x0000000010000000-0x000000001000D000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy237A.tmp\setuphlp.dll
| MD5 | 43ab89d7dc562b830bd15910f407eff0 |
| SHA1 | 2804846b70eecdf025906d59c5057e3eeb26b41f |
| SHA256 | 1924b0511513156110ccad7e06faa127bf4e4f539686685580c57aa430064184 |
| SHA512 | 5a5f6e33f55a9fa1eab7b3071d18868255f4a36b64f070cc1ac4f96cfdbd4bef65b1574577afdf7714614da6fa440ec7434905dacfc7cbf5680e5ed65cdc8e15 |
C:\Users\Admin\AppData\Local\Temp\nsy237A.tmp\ioSpecial.ini
| MD5 | 45872f953dc52e7e471130bee2801256 |
| SHA1 | a413469b4fef8750b18e473f3853ebd4c64ee455 |
| SHA256 | 1905380a57b95be2c2afc0871c7dab1268bfb3845f173892cf637ae1b00a522f |
| SHA512 | ddb2402f98ce343745f92c6c924c474b0551106b5e30baae6744911f3a4109e205d3c33de0ca214817d761ae27723b24cd4d2d6ddcc6a156d73cf5404beead94 |
\Users\Admin\AppData\Local\Temp\nsy237A.tmp\InstallOptions.dll
| MD5 | 32aa6334fc543e70ef0f792bb9a0c45a |
| SHA1 | 54be1f5004f7e5afe7c9ba160495076ea2a4d60c |
| SHA256 | 610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2 |
| SHA512 | ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae |
C:\Windows\SysWOW64\xwr43929.dll
| MD5 | 5ec497129d07614bcb88c48b6c563fbd |
| SHA1 | e5b07c5223e3377f4f0010d6a7be65cdf7d57e14 |
| SHA256 | 94b0388a38e389d7798c7d8ccf87125806318a52b58c9aeb277e6e7288ff5386 |
| SHA512 | 13b6cf77116fee5d38e8446613d45bc9dde2334b4a7e2c142683426cffc1b9566dbf15d4d9e0191c26faadd014ae13cd248c7e9bdbea64f4b6d98d1f468daf2d |
memory/2000-105-0x0000000010000000-0x000000001000D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:05
Reported
2024-06-22 04:08
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\xa240595187.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\xa240595187.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa240595187.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xa240595187.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639}\IExplore = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wr43929.dll | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\xwr43929.dll | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\xa240595187.exe | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\xa240595390.exe | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xa240595390.exe | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\ = "LIB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\ = "D" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1664 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | C:\Windows\SysWOW64\xa240595187.exe |
| PID 1664 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | C:\Windows\SysWOW64\xa240595187.exe |
| PID 1664 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | C:\Windows\SysWOW64\xa240595187.exe |
| PID 1664 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1664 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1664 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe"
C:\Windows\SysWOW64\xa240595187.exe
"C:\Windows\system32\xa240595187.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr43929.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\xa240595187.exe
| MD5 | 2c12b7fd19315d35f32a7fa0bd9625ac |
| SHA1 | 3e0f7f24a7c3b327592ec18844ae4b9fc6b18798 |
| SHA256 | 67dfca880f86278ce821a1f50cb4d10aea05d15f0e33e40e5b5e1b11bdfa6c29 |
| SHA512 | 251ea231580f0d4d0d0acb62d2c6ce393aa06a7cbd39152754c8f7dac3cf448cb871b1381da5e07a7a64bdaa689e6ca7c22fa82ed3437ff2de8c82d9f4969d92 |
C:\Users\Admin\AppData\Local\Temp\nsi3470.tmp\setuphlp.dll
| MD5 | 43ab89d7dc562b830bd15910f407eff0 |
| SHA1 | 2804846b70eecdf025906d59c5057e3eeb26b41f |
| SHA256 | 1924b0511513156110ccad7e06faa127bf4e4f539686685580c57aa430064184 |
| SHA512 | 5a5f6e33f55a9fa1eab7b3071d18868255f4a36b64f070cc1ac4f96cfdbd4bef65b1574577afdf7714614da6fa440ec7434905dacfc7cbf5680e5ed65cdc8e15 |
memory/1464-26-0x0000000010000000-0x000000001000D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsi3470.tmp\ioSpecial.ini
| MD5 | c47f923a3e3c9b644fb8839271c355fa |
| SHA1 | 5db85407541912f24173cc84ec01c3531da92fcb |
| SHA256 | 4be5c0b97f7c61fade25a3ce6ed0d140388c3cf49fc2a6c4131bef658e64802e |
| SHA512 | 673914bb9e32efda70b742a4aff542a13d06afdd73a9866ed4356dfbab8e39b7c5b77ef634d6c41b0f244791af41bfc4935650d42a2edd13fca08fa05022a553 |
C:\Users\Admin\AppData\Local\Temp\nsi3470.tmp\InstallOptions.dll
| MD5 | 32aa6334fc543e70ef0f792bb9a0c45a |
| SHA1 | 54be1f5004f7e5afe7c9ba160495076ea2a4d60c |
| SHA256 | 610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2 |
| SHA512 | ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae |
C:\Windows\SysWOW64\xwr43929.dll
| MD5 | 5ec497129d07614bcb88c48b6c563fbd |
| SHA1 | e5b07c5223e3377f4f0010d6a7be65cdf7d57e14 |
| SHA256 | 94b0388a38e389d7798c7d8ccf87125806318a52b58c9aeb277e6e7288ff5386 |
| SHA512 | 13b6cf77116fee5d38e8446613d45bc9dde2334b4a7e2c142683426cffc1b9566dbf15d4d9e0191c26faadd014ae13cd248c7e9bdbea64f4b6d98d1f468daf2d |