Malware Analysis Report

2025-01-18 22:01

Sample ID 240622-mxlm2syfjk
Target 01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118
SHA256 c0ab28b8174604461375471139088fc3ae917edd9acf137c4795ddd862e3f905
Tags
adware bootkit persistence stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c0ab28b8174604461375471139088fc3ae917edd9acf137c4795ddd862e3f905

Threat Level: Shows suspicious behavior

The file 01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware bootkit persistence stealer upx

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:50

Reported

2024-06-22 10:53

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\snav.exe N/A
N/A N/A C:\Windows\DBinstall.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\id = "Snav" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\addrlib.dat C:\Windows\DBinstall.exe N/A
File created C:\Windows\SysWOW64\addrlib.dat C:\Windows\DBinstall.exe N/A
File created C:\Windows\SysWOW64\IEExtend.dll C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\BBN_Sicent.dll C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Snav.dll C:\Windows\DBinstall.exe N/A
File created C:\Windows\SysWOW64\Snav.dll C:\Windows\DBinstall.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\snav.exe C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A
File created C:\Windows\Snav.dll C:\Windows\snav.exe N/A
File opened for modification C:\Windows\Snav.dll C:\Windows\snav.exe N/A
File created C:\Windows\DBinstall.exe C:\Windows\snav.exe N/A
File opened for modification C:\Windows\DBinstall.exe C:\Windows\snav.exe N/A
File opened for modification C:\Windows\DBINST~1.EXE C:\Windows\DBinstall.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\VersionIndependentProgID\ = "Snav.JsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ = "ISearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook\CLSID\ = "{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook\ = "SearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook.1\CLSID\ = "{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\ProgID\ = "Snav.JsObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ = "IJsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\ = "SearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\VersionIndependentProgID\ = "Snav.SearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CLSID\ = "{91A9D6D5-AFEE-4748-82D7-737A523F63D5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CurVer\ = "Snav.JsObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\ = "Snav 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ = "ISearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1\CLSID\ = "{91A9D6D5-AFEE-4748-82D7-737A523F63D5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ = "IJsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\InprocServer32\ = "C:\\Windows\\SysWow64\\Snav.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\snav.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\snav.exe C:\Windows\DBinstall.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2660 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2784 N/A C:\Windows\DBinstall.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe"

C:\Windows\snav.exe

"C:\Windows\snav.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 584

C:\Windows\DBinstall.exe

"C:\Windows\DBinstall.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\Snav.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\DBINST~1.EXE

Network

N/A

Files

C:\Windows\snav.exe

MD5 e6e9a55e43cfb4e05be5a56ffd3dcb92
SHA1 9e3e96932c7ecac5d4b45281b408ae30af482473
SHA256 6577563a91a7d8f7d963238fb7ffa22a59d205a79f198aa721ef2f42d04c220d
SHA512 e69e226952acdce3ed12bdb0b098ebaf17075dcf118e37af2844bcdd3506119a7ffcfbb5562bd12a588fee1267ea45aa1170821294effb7726c4ae093be484ef

memory/2428-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1408-5-0x0000000002B60000-0x0000000002B84000-memory.dmp

C:\Windows\DBinstall.exe

MD5 76843c805e6ffd4197b24af71bb8d20a
SHA1 da00df68c92dd9e7de212eaffbd53de5230f7072
SHA256 9e596a90eca42510f5f66cd01289b4e92e57bafd9a6215cb887dd03bfbae2bb5
SHA512 1e9e1ffddb72921115794607ec71734dcaec7b22b6810e8cbb3d056eb8302290a3f3e1f0fc27be69db6ad354cab00baffc6cd9a93faf107967f5a05e536aedaa

memory/2428-16-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\Snav.dll

MD5 fbf4e8fc3a251d2bd3bcb8d611b1c321
SHA1 127170ca3e29cf87e3e5f7ee05d00ffda89f2afa
SHA256 ec6a7b04139e211ae7aae15d02c4747755eb9792c9ab03f2c91653b31fffecb1
SHA512 1e50a26f49cd7229a13895a8d9c4b9f2d101f103b01303812f11dfe4e18db2246cc7c3f4d2fc6116bb24f3ab0ba042523c4ee22eed2fca8cc795baecf3f4b2ef

memory/1408-26-0x0000000002B60000-0x0000000002B84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:50

Reported

2024-06-22 10:53

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\snav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\DBinstall.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\snav.exe N/A
N/A N/A C:\Windows\DBinstall.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\id = "Snav" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\BBN_Sicent.dll C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Snav.dll C:\Windows\DBinstall.exe N/A
File created C:\Windows\SysWOW64\Snav.dll C:\Windows\DBinstall.exe N/A
File opened for modification C:\Windows\SysWOW64\addrlib.dat C:\Windows\DBinstall.exe N/A
File created C:\Windows\SysWOW64\addrlib.dat C:\Windows\DBinstall.exe N/A
File created C:\Windows\SysWOW64\IEExtend.dll C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\snav.exe C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe N/A
File created C:\Windows\Snav.dll C:\Windows\snav.exe N/A
File opened for modification C:\Windows\Snav.dll C:\Windows\snav.exe N/A
File created C:\Windows\DBinstall.exe C:\Windows\snav.exe N/A
File opened for modification C:\Windows\DBinstall.exe C:\Windows\snav.exe N/A
File opened for modification C:\Windows\DBINST~1.EXE C:\Windows\DBinstall.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\InprocServer32\ = "C:\\Windows\\SysWow64\\Snav.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\ = "SearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\InprocServer32\ = "C:\\Windows\\SysWow64\\Snav.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Snav.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ = "ISearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ = "IJsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ = "IJsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\VersionIndependentProgID\ = "Snav.JsObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook\CLSID\ = "{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\ProgID\ = "Snav.SearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CLSID\ = "{91A9D6D5-AFEE-4748-82D7-737A523F63D5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.SearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\ = "Snav 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject.1\ = "JsObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\TypeLib\ = "{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Snav.JsObject\CurVer\ = "Snav.JsObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5}\ProgID\ = "Snav.JsObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01c13fdf2f888efb99798ed74ba295a2_JaffaCakes118.exe"

C:\Windows\snav.exe

"C:\Windows\snav.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1960 -ip 1960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1160

C:\Windows\DBinstall.exe

"C:\Windows\DBinstall.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\Snav.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\DBINST~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\snav.exe

MD5 e6e9a55e43cfb4e05be5a56ffd3dcb92
SHA1 9e3e96932c7ecac5d4b45281b408ae30af482473
SHA256 6577563a91a7d8f7d963238fb7ffa22a59d205a79f198aa721ef2f42d04c220d
SHA512 e69e226952acdce3ed12bdb0b098ebaf17075dcf118e37af2844bcdd3506119a7ffcfbb5562bd12a588fee1267ea45aa1170821294effb7726c4ae093be484ef

memory/4400-8-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\DBinstall.exe

MD5 76843c805e6ffd4197b24af71bb8d20a
SHA1 da00df68c92dd9e7de212eaffbd53de5230f7072
SHA256 9e596a90eca42510f5f66cd01289b4e92e57bafd9a6215cb887dd03bfbae2bb5
SHA512 1e9e1ffddb72921115794607ec71734dcaec7b22b6810e8cbb3d056eb8302290a3f3e1f0fc27be69db6ad354cab00baffc6cd9a93faf107967f5a05e536aedaa

C:\Windows\Snav.dll

MD5 fbf4e8fc3a251d2bd3bcb8d611b1c321
SHA1 127170ca3e29cf87e3e5f7ee05d00ffda89f2afa
SHA256 ec6a7b04139e211ae7aae15d02c4747755eb9792c9ab03f2c91653b31fffecb1
SHA512 1e50a26f49cd7229a13895a8d9c4b9f2d101f103b01303812f11dfe4e18db2246cc7c3f4d2fc6116bb24f3ab0ba042523c4ee22eed2fca8cc795baecf3f4b2ef

memory/4400-29-0x0000000000400000-0x0000000000424000-memory.dmp