Malware Analysis Report

2025-01-18 21:54

Sample ID 240622-l5zn7sxdmp
Target 0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118
SHA256 e36e200b6f1a0e3d163b32993b0abc76f194508ceaed1b532f720bad21eacde3
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e36e200b6f1a0e3d163b32993b0abc76f194508ceaed1b532f720bad21eacde3

Threat Level: Shows suspicious behavior

The file 0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:07

Reported

2024-06-22 10:10

Platform

win7-20240611-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\WINDOWS\\inf\\bpk.exe" C:\WINDOWS\inf\bpk.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" C:\WINDOWS\inf\bpk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\inf\pk.bin C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\bpk.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\bpkhk.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\bpkwb.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\inst.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\rinst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File opened for modification C:\WINDOWS\inf\pk.bin C:\WINDOWS\inf\bpk.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\WINDOWS\\inf\\bpkwb.dll" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Verb\1 C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\WINDOWS\\inf\\bpkwb.dll" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\WINDOWS\\inf\\" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Verb\0 C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Verb\1\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA} C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Task Management Module" C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Verb C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Verb\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 2596 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 2596 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 2596 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 2596 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 2596 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 2644 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe
PID 2644 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe
PID 2644 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe
PID 2644 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\WINDOWS\inf\bpk.exe

C:\WINDOWS\inf\bpk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:587 smtp.aol.com tcp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:587 smtp.aol.com tcp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:587 smtp.aol.com tcp

Files

memory/2596-0-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-2-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2596-1-0x0000000000510000-0x0000000000612000-memory.dmp

memory/2228-3-0x000000000045F000-0x0000000000460000-memory.dmp

memory/2228-4-0x0000000000550000-0x00000000005A6000-memory.dmp

memory/2228-9-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-10-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-13-0x0000000000550000-0x00000000005A6000-memory.dmp

memory/2228-11-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-12-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-20-0x0000000000550000-0x00000000005A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

MD5 fbe4bab53f74d3049ef4b306d4cd8742
SHA1 6504b63908997a71a65997fa31eda4ae4de013e7
SHA256 446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092
SHA512 d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

MD5 74dfa45d9b60e968aac3059cf9d89498
SHA1 b2fa9587b92d9f8ba58c13de86a72a0065b9f126
SHA256 32f754689dbdb14bfcaf549a94a51f9ffc67c707be85d2d488a2b6d61921fc47
SHA512 73c25d5a55ee738dad50adcbce3d73a395e5d82663cfff81e6a75e1257267e0e986d32f5796ac007080cd968c20ebf83ddabac13fe50c995be0377e624ac41ce

memory/2644-48-0x0000000000770000-0x0000000000772000-memory.dmp

memory/2548-49-0x0000000000140000-0x0000000000142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

MD5 ddee04a4f939484bfa27eb907e0dd577
SHA1 351eaf4777dd29ef25ba5a815b54443febc75e54
SHA256 89ecbed96c435090c490de84fc1ce6399e5ee1936bb23adc88b9698d6b95eee3
SHA512 a298a689ac6a6455623706698d46ece94843bc23620c861ceae0fa70938dce3a1658353b11b3f4860e234555931cc1ecdbfcd64fbecb19912e28d1c4d113fddd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

MD5 7b9b57af3deb27462dffa4f8237450b3
SHA1 055ef73e04e298d10f81d8464c2bbb6901e38d2f
SHA256 f4b4bc294177020350ca20812e640d0c5a5b535445b1a33b6e66fd753a396a90
SHA512 bf6e4beef430783b93a757ed843b9eb3e673781c62350268fef23a7fa4334723bfaf1f5493cf658d0c4eaf01c20dd879be9b096a1aab8e905859818f3a69e027

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

MD5 49f530be28f57aff1f759df7e133136e
SHA1 07b5dc21defa1e7baaeea89b44127fe6fe323c70
SHA256 7856ddddbfc7815b6fdb40bd05b0c24add78778301e75ac134527e16fac553d9
SHA512 2cc073f42d33cb5a7488e0de59b0982d1d60fd523d5cac3740d7dc5572a90c3bbeb2d74d342501fee2dc2119c2e67f128fbbeaa1157a56e5ad999e27786777e0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

MD5 25c4e51ba801cc5d1d318133d386e3cb
SHA1 40655fdfebf278707cbaf9348e34c2c5194d54fe
SHA256 6a25be0ecab38f90950ec1b954b306a50b4c483c04ccfa28a18f357401a9fd4a
SHA512 9cc3f2d9f48e5714d9279b223a2f7a5af8b11f6256ae09a7ae72d76fe5416111107f403654cb6c9c98d6edbcfa7fcfd1b108d6e4d349f723eeeaa693132e4c71

\Windows\inf\bpk.exe

MD5 888df0bb402e5bb9488ffeb100efc4a3
SHA1 cffe4285be4d3ff50e56f8aad2fedc58df541ffb
SHA256 dc1dd674a79c29cf7d04d4458290ac377d9bd7a75f3f59f95bb9404a371f22dd
SHA512 ad4b7fca93caf607c55c51f158f19b97742efc3b8dbf0c76a5a60ebb2bcb4d1a3107b36811f3c821b86b18bf632006084452724714e9c17ff26762f10365040d

C:\WINDOWS\inf\pk.bin

MD5 9f4f25c03d43d8dc1273b6d5b42f1c34
SHA1 7c2fb929c307ec4b2c992d66572b6d47a1c8830a
SHA256 9c268c5a84460f387339a7f3e6ec8b7b0236925004fbce36e2679872c7794e5b
SHA512 a9052bfff6b20f769763c14acd7b1dc47716b17aab69cd891254cc56a3a583e2c615e604d76a0644197a342d7122ba5e0a3fd10f2e154c71ee92c69df393b4a2

C:\WINDOWS\inf\bpkhk.dll

MD5 9ac9028338d1b353a7cacb563bb91df7
SHA1 a20c5dee8f05c91686324cec2d5b092bafe58339
SHA256 93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c
SHA512 ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

C:\WINDOWS\inf\bpkwb.dll

MD5 21d4e01f38b5efd64ad6816fa0b44677
SHA1 5242d2c5b450c773b9fa3ad014a8aba9b7bb206a
SHA256 3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977
SHA512 77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

C:\Users\Admin\AppData\Local\Temp\RarSFX0\008).jpg

MD5 a4241f4bfaef3f695ec4ff9b7d7b34e9
SHA1 15bacc6340d1efd154b830a1e5ee0c9c14ab52a1
SHA256 c7dd01c56e3ab29e6c62035af876a09748a0ce984a726a24aed54bfc10fa4a75
SHA512 3da59bac4061f49fc18f7936f267dd84410bca8135c5da97e60be9ac415473ff709bf8fa39967f19b6909d7c11b83c8fdcfd6d1ede70d24a9665bd45fdddebcc

memory/2228-80-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2596-81-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-82-0x0000000000550000-0x00000000005A6000-memory.dmp

memory/2596-85-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2228-84-0x0000000000400000-0x0000000000502000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:07

Reported

2024-06-22 10:10

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\WINDOWS\\inf\\bpk.exe" C:\WINDOWS\inf\bpk.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" C:\WINDOWS\inf\bpk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\inf\rinst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File opened for modification C:\WINDOWS\inf\pk.bin C:\WINDOWS\inf\bpk.exe N/A
File created C:\WINDOWS\inf\pk.bin C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\bpk.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\bpkhk.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\bpkwb.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\WINDOWS\inf\inst.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\WINDOWS\\inf\\" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\WINDOWS\\inf\\bpkwb.dll" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ = "C:\\Windows\\SysWOW64\\qedit.dll" C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\WINDOWS\\inf\\bpkwb.dll" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Audio Mixer" C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA} C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\WINDOWS\inf\bpk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\WINDOWS\inf\bpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A
N/A N/A C:\WINDOWS\inf\bpk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe
PID 4776 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 4776 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 4776 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
PID 4580 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe
PID 4580 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe
PID 4580 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe C:\WINDOWS\inf\bpk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0190af5f6200bbfa0474b75e3e7d618a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"

C:\WINDOWS\inf\bpk.exe

C:\WINDOWS\inf\bpk.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:587 smtp.aol.com tcp
US 8.8.8.8:53 31.97.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 i.pki.goog udp
US 8.8.8.8:53 i.pki.goog udp
GB 172.217.169.67:80 i.pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:587 smtp.aol.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:587 smtp.aol.com tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/3016-0-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-2-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-4-0x0000000002080000-0x00000000020D6000-memory.dmp

memory/4776-9-0x0000000002080000-0x00000000020D6000-memory.dmp

memory/4776-11-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-12-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-13-0x0000000002080000-0x00000000020D6000-memory.dmp

memory/4776-10-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-20-0x0000000002080000-0x00000000020D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

MD5 fbe4bab53f74d3049ef4b306d4cd8742
SHA1 6504b63908997a71a65997fa31eda4ae4de013e7
SHA256 446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092
SHA512 d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

MD5 74dfa45d9b60e968aac3059cf9d89498
SHA1 b2fa9587b92d9f8ba58c13de86a72a0065b9f126
SHA256 32f754689dbdb14bfcaf549a94a51f9ffc67c707be85d2d488a2b6d61921fc47
SHA512 73c25d5a55ee738dad50adcbce3d73a395e5d82663cfff81e6a75e1257267e0e986d32f5796ac007080cd968c20ebf83ddabac13fe50c995be0377e624ac41ce

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

MD5 7b9b57af3deb27462dffa4f8237450b3
SHA1 055ef73e04e298d10f81d8464c2bbb6901e38d2f
SHA256 f4b4bc294177020350ca20812e640d0c5a5b535445b1a33b6e66fd753a396a90
SHA512 bf6e4beef430783b93a757ed843b9eb3e673781c62350268fef23a7fa4334723bfaf1f5493cf658d0c4eaf01c20dd879be9b096a1aab8e905859818f3a69e027

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

MD5 ddee04a4f939484bfa27eb907e0dd577
SHA1 351eaf4777dd29ef25ba5a815b54443febc75e54
SHA256 89ecbed96c435090c490de84fc1ce6399e5ee1936bb23adc88b9698d6b95eee3
SHA512 a298a689ac6a6455623706698d46ece94843bc23620c861ceae0fa70938dce3a1658353b11b3f4860e234555931cc1ecdbfcd64fbecb19912e28d1c4d113fddd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

MD5 25c4e51ba801cc5d1d318133d386e3cb
SHA1 40655fdfebf278707cbaf9348e34c2c5194d54fe
SHA256 6a25be0ecab38f90950ec1b954b306a50b4c483c04ccfa28a18f357401a9fd4a
SHA512 9cc3f2d9f48e5714d9279b223a2f7a5af8b11f6256ae09a7ae72d76fe5416111107f403654cb6c9c98d6edbcfa7fcfd1b108d6e4d349f723eeeaa693132e4c71

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

MD5 49f530be28f57aff1f759df7e133136e
SHA1 07b5dc21defa1e7baaeea89b44127fe6fe323c70
SHA256 7856ddddbfc7815b6fdb40bd05b0c24add78778301e75ac134527e16fac553d9
SHA512 2cc073f42d33cb5a7488e0de59b0982d1d60fd523d5cac3740d7dc5572a90c3bbeb2d74d342501fee2dc2119c2e67f128fbbeaa1157a56e5ad999e27786777e0

C:\Windows\INF\bpk.exe

MD5 888df0bb402e5bb9488ffeb100efc4a3
SHA1 cffe4285be4d3ff50e56f8aad2fedc58df541ffb
SHA256 dc1dd674a79c29cf7d04d4458290ac377d9bd7a75f3f59f95bb9404a371f22dd
SHA512 ad4b7fca93caf607c55c51f158f19b97742efc3b8dbf0c76a5a60ebb2bcb4d1a3107b36811f3c821b86b18bf632006084452724714e9c17ff26762f10365040d

C:\WINDOWS\inf\pk.bin

MD5 9f4f25c03d43d8dc1273b6d5b42f1c34
SHA1 7c2fb929c307ec4b2c992d66572b6d47a1c8830a
SHA256 9c268c5a84460f387339a7f3e6ec8b7b0236925004fbce36e2679872c7794e5b
SHA512 a9052bfff6b20f769763c14acd7b1dc47716b17aab69cd891254cc56a3a583e2c615e604d76a0644197a342d7122ba5e0a3fd10f2e154c71ee92c69df393b4a2

C:\WINDOWS\inf\bpkhk.dll

MD5 9ac9028338d1b353a7cacb563bb91df7
SHA1 a20c5dee8f05c91686324cec2d5b092bafe58339
SHA256 93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c
SHA512 ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

C:\WINDOWS\inf\bpkwb.dll

MD5 21d4e01f38b5efd64ad6816fa0b44677
SHA1 5242d2c5b450c773b9fa3ad014a8aba9b7bb206a
SHA256 3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977
SHA512 77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

memory/4776-63-0x0000000000400000-0x0000000000502000-memory.dmp

memory/3016-64-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-65-0x0000000002080000-0x00000000020D6000-memory.dmp

memory/3016-66-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4776-68-0x0000000000400000-0x0000000000502000-memory.dmp