Analysis Overview
SHA256
c58f20eb18ba0ea6a73b8762df122651560d73b96154ee368272238c4466c5cb
Threat Level: Known bad
The file 0c2ffafb372ac4748698aa79457d5e47_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
UPX packed file
Loads dropped DLL
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 03:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 03:01
Reported
2024-06-25 03:04
Platform
win7-20240611-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1468 set thread context of 2712 | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B9A6E32-36C9-4946-B78C-3F58E3785EC1}\AppName = "unpack200.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B9A6E32-36C9-4946-B78C-3F58E3785EC1}\Policy = "3" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B9A6E32-36C9-4946-B78C-3F58E3785EC1} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "1\\bin" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "1\\bin" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "1\\bin" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "3" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B9A6E32-36C9-4946-B78C-3F58E3785EC1} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3B9A6E32-36C9-4946-B78C-3F58E3785EC1}\AppPath = "1\\bin" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID\ = "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_17" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"1\\bin\\javaw.exe\" -jar \"%1\" %*" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Windows\\SysWow64\\deploytk.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\System.ControlPanel.Category = "8" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\npjpi160_17.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_17" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.160_17 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\ = "JNLPFile" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.160_17\CLSID\ = "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\EditFlags = 00000100 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ = "Java(tm) Plug-In 2 SSV Helper" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2ffafb372ac4748698aa79457d5e47_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2ffafb372ac4748698aa79457d5e47_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
"C:\Windows\SysWOW64\rundll32mgr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 100
Network
Files
memory/2408-0-0x000000006D6B0000-0x000000006D719000-memory.dmp
memory/2408-1-0x000000006D6B0000-0x000000006D719000-memory.dmp
\Windows\SysWOW64\rundll32mgr.exe
| MD5 | 2eb3806b294427bfb90d53f12ad948c1 |
| SHA1 | 879fb013938ff60cfa4b7c4d2b459766c4583ad2 |
| SHA256 | f657c80eb5c738fa74ee842253989943ba52684938043afe62355b2ff40edd28 |
| SHA512 | 086aef7280ac5cc53ef94b82ad5123dbc5b6118dbb41d57a893fe142773b06e8aa8f21dd00d8d06cb99923238e49b4a83fcb1b79e84b6a0adfd866e994ee17a1 |
memory/2408-4-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1468-12-0x0000000000020000-0x0000000000023000-memory.dmp
memory/1468-11-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
| MD5 | bbc45524a9103311a6068f3885d167c7 |
| SHA1 | f7c7186f1ad14e82ac8f8f0a554e28219633a881 |
| SHA256 | 9e1d7371bffe5c6b34fcca7d40646d80f57d637363b6c6af03ffaa0b8f774a09 |
| SHA512 | bd9e8a0bf95be7733108faba8d070447c07ddb26c6f6093931af034ad2c9f62495d2a55b2268a4d4aa1989d4bcdf6383ab3a5d9e69459ae4ef874a2326bd198a |
memory/2712-27-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2712-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2712-31-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1468-36-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2712-38-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2712-35-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2712-37-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2712-39-0x0000000000400000-0x0000000000463000-memory.dmp
\Users\Admin\AppData\Local\Temp\~TM6825.tmp
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
memory/2712-44-0x00000000778E0000-0x00000000778E1000-memory.dmp
memory/2712-43-0x00000000778DF000-0x00000000778E1000-memory.dmp
memory/2712-45-0x00000000778E0000-0x00000000778E2000-memory.dmp
\Users\Admin\AppData\Local\Temp\~TM6910.tmp
| MD5 | 9b98d47916ead4f69ef51b56b0c2323c |
| SHA1 | 290a80b4ded0efc0fd00816f373fcea81a521330 |
| SHA256 | 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b |
| SHA512 | 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94 |
memory/2712-49-0x0000000076714000-0x0000000076715000-memory.dmp
memory/2712-50-0x0000000076680000-0x0000000076790000-memory.dmp
memory/2712-51-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2712-53-0x0000000076680000-0x0000000076790000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 03:01
Reported
2024-06-25 03:04
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3708 set thread context of 1648 | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "1\\bin" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-applet\CLSID = "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ = "Java(tm) Plug-In SSV Helper" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_17" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\System.ControlPanel.Category = "8" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\npjpi160_17.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\DefaultIcon\ = "1\\bin\\javacpl.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.FamilyVersionSupport | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32\ = "1\\bin\\npjpi160_17.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID\ = "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\DefaultIcon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\ = "\"1\\bin\\javaws.exe\" \"%1\"" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file\Extension = ".jnlp" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.160_17\CLSID\ = "{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ = "1\\bin\\npjpi160_17.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2ffafb372ac4748698aa79457d5e47_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2ffafb372ac4748698aa79457d5e47_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
"C:\Windows\SysWOW64\rundll32mgr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 248
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | 2eb3806b294427bfb90d53f12ad948c1 |
| SHA1 | 879fb013938ff60cfa4b7c4d2b459766c4583ad2 |
| SHA256 | f657c80eb5c738fa74ee842253989943ba52684938043afe62355b2ff40edd28 |
| SHA512 | 086aef7280ac5cc53ef94b82ad5123dbc5b6118dbb41d57a893fe142773b06e8aa8f21dd00d8d06cb99923238e49b4a83fcb1b79e84b6a0adfd866e994ee17a1 |
memory/3708-4-0x0000000000400000-0x000000000044F000-memory.dmp
memory/4852-3-0x000000006D6B0000-0x000000006D719000-memory.dmp
memory/3708-7-0x00000000001C0000-0x00000000001C3000-memory.dmp
memory/1648-20-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1648-24-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1648-23-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1648-28-0x0000000000400000-0x0000000000463000-memory.dmp
memory/3708-27-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~TM3AC7.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |