Malware Analysis Report

2025-01-18 22:03

Sample ID 240622-entnas1dnp
Target 012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118
SHA256 15608aa75a68cc98edfd53d5a892f0d8ba12d5ab9cf44e528e7c07f9777ec9c1
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

15608aa75a68cc98edfd53d5a892f0d8ba12d5ab9cf44e528e7c07f9777ec9c1

Threat Level: Shows suspicious behavior

The file 012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:05

Reported

2024-06-22 04:08

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xa259399975.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639}\IExplore = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xwr43929.dll C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xa259399975.exe C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xa259400162.exe C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xa259400162.exe C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wr43929.dll C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\ = "LIB" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xa259399975.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\xa259399975.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\xa259399975.exe

"C:\Windows\system32\xa259399975.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr43929.dll

Network

N/A

Files

C:\Windows\SysWOW64\xa259399975.exe

MD5 2c12b7fd19315d35f32a7fa0bd9625ac
SHA1 3e0f7f24a7c3b327592ec18844ae4b9fc6b18798
SHA256 67dfca880f86278ce821a1f50cb4d10aea05d15f0e33e40e5b5e1b11bdfa6c29
SHA512 251ea231580f0d4d0d0acb62d2c6ce393aa06a7cbd39152754c8f7dac3cf448cb871b1381da5e07a7a64bdaa689e6ca7c22fa82ed3437ff2de8c82d9f4969d92

memory/2000-21-0x0000000010000000-0x000000001000D000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy237A.tmp\setuphlp.dll

MD5 43ab89d7dc562b830bd15910f407eff0
SHA1 2804846b70eecdf025906d59c5057e3eeb26b41f
SHA256 1924b0511513156110ccad7e06faa127bf4e4f539686685580c57aa430064184
SHA512 5a5f6e33f55a9fa1eab7b3071d18868255f4a36b64f070cc1ac4f96cfdbd4bef65b1574577afdf7714614da6fa440ec7434905dacfc7cbf5680e5ed65cdc8e15

C:\Users\Admin\AppData\Local\Temp\nsy237A.tmp\ioSpecial.ini

MD5 45872f953dc52e7e471130bee2801256
SHA1 a413469b4fef8750b18e473f3853ebd4c64ee455
SHA256 1905380a57b95be2c2afc0871c7dab1268bfb3845f173892cf637ae1b00a522f
SHA512 ddb2402f98ce343745f92c6c924c474b0551106b5e30baae6744911f3a4109e205d3c33de0ca214817d761ae27723b24cd4d2d6ddcc6a156d73cf5404beead94

\Users\Admin\AppData\Local\Temp\nsy237A.tmp\InstallOptions.dll

MD5 32aa6334fc543e70ef0f792bb9a0c45a
SHA1 54be1f5004f7e5afe7c9ba160495076ea2a4d60c
SHA256 610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2
SHA512 ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae

C:\Windows\SysWOW64\xwr43929.dll

MD5 5ec497129d07614bcb88c48b6c563fbd
SHA1 e5b07c5223e3377f4f0010d6a7be65cdf7d57e14
SHA256 94b0388a38e389d7798c7d8ccf87125806318a52b58c9aeb277e6e7288ff5386
SHA512 13b6cf77116fee5d38e8446613d45bc9dde2334b4a7e2c142683426cffc1b9566dbf15d4d9e0191c26faadd014ae13cd248c7e9bdbea64f4b6d98d1f468daf2d

memory/2000-105-0x0000000010000000-0x000000001000D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 04:05

Reported

2024-06-22 04:08

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xa240595187.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xa240595187.exe N/A
N/A N/A C:\Windows\SysWOW64\xa240595187.exe N/A
N/A N/A C:\Windows\SysWOW64\xa240595187.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62063880-B7E3-3376-990A-D02D91746639}\IExplore = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wr43929.dll C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xwr43929.dll C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xa240595187.exe C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xa240595390.exe C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xa240595390.exe C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\ = "LIB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib\ = "{FD387FD4-E13F-39C4-9235-47E5E0754F1B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639}\ = "D" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\ = "IDOMPeek" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E50AC25-2B73-31F0-B309-C4E6A1439143}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62063880-B7E3-3376-990A-D02D91746639} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD387FD4-E13F-39C4-9235-47E5E0754F1B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr43929.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\012ef4d37abb574f336b2c66c3d505ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\xa240595187.exe

"C:\Windows\system32\xa240595187.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr43929.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\xa240595187.exe

MD5 2c12b7fd19315d35f32a7fa0bd9625ac
SHA1 3e0f7f24a7c3b327592ec18844ae4b9fc6b18798
SHA256 67dfca880f86278ce821a1f50cb4d10aea05d15f0e33e40e5b5e1b11bdfa6c29
SHA512 251ea231580f0d4d0d0acb62d2c6ce393aa06a7cbd39152754c8f7dac3cf448cb871b1381da5e07a7a64bdaa689e6ca7c22fa82ed3437ff2de8c82d9f4969d92

C:\Users\Admin\AppData\Local\Temp\nsi3470.tmp\setuphlp.dll

MD5 43ab89d7dc562b830bd15910f407eff0
SHA1 2804846b70eecdf025906d59c5057e3eeb26b41f
SHA256 1924b0511513156110ccad7e06faa127bf4e4f539686685580c57aa430064184
SHA512 5a5f6e33f55a9fa1eab7b3071d18868255f4a36b64f070cc1ac4f96cfdbd4bef65b1574577afdf7714614da6fa440ec7434905dacfc7cbf5680e5ed65cdc8e15

memory/1464-26-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi3470.tmp\ioSpecial.ini

MD5 c47f923a3e3c9b644fb8839271c355fa
SHA1 5db85407541912f24173cc84ec01c3531da92fcb
SHA256 4be5c0b97f7c61fade25a3ce6ed0d140388c3cf49fc2a6c4131bef658e64802e
SHA512 673914bb9e32efda70b742a4aff542a13d06afdd73a9866ed4356dfbab8e39b7c5b77ef634d6c41b0f244791af41bfc4935650d42a2edd13fca08fa05022a553

C:\Users\Admin\AppData\Local\Temp\nsi3470.tmp\InstallOptions.dll

MD5 32aa6334fc543e70ef0f792bb9a0c45a
SHA1 54be1f5004f7e5afe7c9ba160495076ea2a4d60c
SHA256 610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2
SHA512 ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae

C:\Windows\SysWOW64\xwr43929.dll

MD5 5ec497129d07614bcb88c48b6c563fbd
SHA1 e5b07c5223e3377f4f0010d6a7be65cdf7d57e14
SHA256 94b0388a38e389d7798c7d8ccf87125806318a52b58c9aeb277e6e7288ff5386
SHA512 13b6cf77116fee5d38e8446613d45bc9dde2334b4a7e2c142683426cffc1b9566dbf15d4d9e0191c26faadd014ae13cd248c7e9bdbea64f4b6d98d1f468daf2d