Malware Analysis Report

2025-04-13 20:42

Sample ID 240704-esjc5awbqh
Target 249701560c62eb9b32ad0b3091987c27_JaffaCakes118
SHA256 17491898ca9dd8ba531692d30a5bbf4088c008a120c5dd077e0ea9f8dd02990e
Tags
modiloader evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17491898ca9dd8ba531692d30a5bbf4088c008a120c5dd077e0ea9f8dd02990e

Threat Level: Known bad

The file 249701560c62eb9b32ad0b3091987c27_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence privilege_escalation trojan

ModiLoader, DBatLoader

Modiloader family

ModiLoader Second Stage

UAC bypass

ModiLoader Second Stage

Modifies Windows Firewall

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

System policy modification

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 04:12

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 04:12

Reported

2024-07-04 04:14

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Windows\SysWOW64\wscript.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\CLSID\ = "{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\Class = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\Class = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}\0 = ".NET Category" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\CLSID\ = "{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\Class = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\ = "mscoree.dll" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\ = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\Class = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\ = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ProgId\ = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ProgId\ = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\ = "mscoree.dll" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 2736 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 2736 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 2736 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 2352 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2352 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2352 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2352 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2628 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe
PID 2628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe
PID 2628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe
PID 2628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gh.exe

"C:\Users\Admin\AppData\Local\Temp\gh.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan.vbe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zxzx.no-ip.org udp

Files

\Users\Admin\AppData\Local\Temp\gh.exe

MD5 ee6e49d34ec1d5a3d71c41419529141e
SHA1 d21d3885974daf7ca4ff4a18c88edd2e755947f1
SHA256 e7ae8b6a6cee6368cc9c6f5a28fafd919672dd6dd2525e8e74f52c5a222a8b8f
SHA512 5a8d30e01651094435d33c5273e9c79adb899d784cb5a9c5cf70e4e8efa684e3fdd69dbd10bb159392e867fab0dbe0675e679ad00ff5041c25b412536fcda3c3

memory/2352-11-0x00000000748E1000-0x00000000748E2000-memory.dmp

memory/2352-12-0x00000000748E0000-0x0000000074E8B000-memory.dmp

memory/2352-13-0x00000000748E0000-0x0000000074E8B000-memory.dmp

memory/2736-16-0x0000000003080000-0x0000000003082000-memory.dmp

memory/1508-17-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2736-26-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2352-27-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\images.jpg

MD5 b07dbe51ded53ca9e8a8536d1a954ff1
SHA1 1fd2a400e442ce65581e72ea6191e4058430f7b3
SHA256 48e172263d81fc3d899fa9cd21f8f1fc138d5ff0c9bd27a3d2a7b69c646b375a
SHA512 12142d4d165ef7dbec609dec19b7241e6bfb54beb97764e1f9f1ee74c79c7ce557f8d061216f222cffe18bd0ac70b278d8bc297072b1a16c3ddbd3160d270144

C:\Users\Admin\AppData\Local\Temp\Trojan.vbe

MD5 49d1ecdc211d43d17d90d7cffaf159c2
SHA1 997a1bd83f41e7a8bebc037c9a59e520581eb70f
SHA256 257d335e97e18bc1103e1707a6eda7dfd7e20be8f2d4b3a2f616730ff5c39d17
SHA512 97481dc8338994e47978faad6bad68fc503bfe9a26756908636c238338cbac5dbcf62fc0e0e56c39415b6f6b48873d01a36f1f52a4e11ec722e1fb3650a36bd8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe

MD5 91102132470e20539589b076fe52fdc6
SHA1 c9158b9847f1bbdcf7dde23467e5e4e8a708597d
SHA256 353c51227ddbdf1e766886a448f83f786a8c946e6892192bb5ac44f97569210d
SHA512 9a67c4a14fde5ea561f2a76a148c55339deeb28e53ed106c41a0d304ca45ca6c6066509981aca86c2f0a4fea88e6c5e9039fcb48556f933dcead77a39e79677c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 04:12

Reported

2024-07-04 04:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Windows\SysWOW64\wscript.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\Class = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\CLSID\ = "{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\Class = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\ = "mscoree.dll" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\ProgId\ = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\ = "mscoree.dll" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ProgId\ = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\CLSID C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\Class = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.A\ = "xuwiicjduji.A" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\ = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB999A0F-1AB9-33D9-BAE4-ED7776949AA9}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0 C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\ProgId C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\Assembly = "xuwiicjduji, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xuwiicjduji.xuwiicjduji\CLSID\ = "{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DEEBC5-3682-35B6-BAE8-46049FAD2B65}\InprocServer32\0.0.0.0\Class = "xuwiicjduji.xuwiicjduji" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 4068 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 4068 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gh.exe
PID 920 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 920 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 920 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\gh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 1992 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1992 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1992 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1992 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1992 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1992 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1992 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe
PID 1992 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe
PID 1992 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\wscript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\249701560c62eb9b32ad0b3091987c27_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gh.exe

"C:\Users\Admin\AppData\Local\Temp\gh.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan.vbe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp
US 8.8.8.8:53 zxzx.no-ip.org udp

Files

C:\Users\Admin\AppData\Local\Temp\gh.exe

MD5 ee6e49d34ec1d5a3d71c41419529141e
SHA1 d21d3885974daf7ca4ff4a18c88edd2e755947f1
SHA256 e7ae8b6a6cee6368cc9c6f5a28fafd919672dd6dd2525e8e74f52c5a222a8b8f
SHA512 5a8d30e01651094435d33c5273e9c79adb899d784cb5a9c5cf70e4e8efa684e3fdd69dbd10bb159392e867fab0dbe0675e679ad00ff5041c25b412536fcda3c3

memory/4068-8-0x0000000000400000-0x0000000000445000-memory.dmp

memory/920-10-0x0000000073C12000-0x0000000073C13000-memory.dmp

memory/920-11-0x0000000073C10000-0x00000000741C1000-memory.dmp

memory/920-13-0x0000000073C10000-0x00000000741C1000-memory.dmp

memory/1992-23-0x0000000073C10000-0x00000000741C1000-memory.dmp

memory/920-22-0x0000000073C10000-0x00000000741C1000-memory.dmp

memory/1992-25-0x0000000073C10000-0x00000000741C1000-memory.dmp

memory/1992-26-0x0000000073C10000-0x00000000741C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Trojan.vbe

MD5 49d1ecdc211d43d17d90d7cffaf159c2
SHA1 997a1bd83f41e7a8bebc037c9a59e520581eb70f
SHA256 257d335e97e18bc1103e1707a6eda7dfd7e20be8f2d4b3a2f616730ff5c39d17
SHA512 97481dc8338994e47978faad6bad68fc503bfe9a26756908636c238338cbac5dbcf62fc0e0e56c39415b6f6b48873d01a36f1f52a4e11ec722e1fb3650a36bd8

memory/1992-32-0x0000000073C10000-0x00000000741C1000-memory.dmp