Analysis Overview
SHA256
1ddea188db63931fb7c1ac9d6aa863f84a2e82639111543ba3e7b08a52bd8ad9
Threat Level: Known bad
The file 043c92cfe42149c314c13bbbeaf24110_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Installs/modifies Browser Helper Object
Drops file in System32 directory
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-01 03:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-01 03:40
Reported
2024-10-01 03:42
Platform
win7-20240704-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Gozi
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msxml71.dll | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0 | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1 | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe"
Network
Files
memory/2296-1204-0x0000000010000000-0x000000001004F000-memory.dmp
\Windows\SysWOW64\msxml71.dll
| MD5 | b975d1279081e67bfc5160611913f56f |
| SHA1 | 5d08f86258cdba2854ca0b163c4f3051eefa7e86 |
| SHA256 | e407e314df1d3ba572ff8371a07ff9677e1c6fa5a4e4e955406abbbab5216cf5 |
| SHA512 | 719c9c86b9e31af4613555fbaa85215aab472ba27d59eb15df3ec44485669cd79895908096cf268a3502ce35de14f758545da1dae599bce214e09da99a51e336 |
memory/2296-8643-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8642-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8641-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8640-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8639-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8638-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8637-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8636-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8635-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8634-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8633-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8632-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8631-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8630-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8629-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8628-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8627-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8626-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8625-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8624-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8623-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8622-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8621-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8620-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8619-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8618-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8617-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8616-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8615-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8614-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8613-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8612-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8611-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8610-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8609-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8608-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8607-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8606-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8605-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8604-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8603-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8602-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8601-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8600-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8599-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8598-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8597-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8596-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8595-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8594-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8593-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8592-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8591-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8590-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8589-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8588-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8587-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8586-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8585-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-8584-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-19913-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-19912-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-19911-0x0000000000090000-0x0000000000190000-memory.dmp
memory/2296-19910-0x0000000000090000-0x0000000000190000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-01 03:40
Reported
2024-10-01 03:42
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
102s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msxml71.dll | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0 | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1 | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\msxml71.dll
| MD5 | b975d1279081e67bfc5160611913f56f |
| SHA1 | 5d08f86258cdba2854ca0b163c4f3051eefa7e86 |
| SHA256 | e407e314df1d3ba572ff8371a07ff9677e1c6fa5a4e4e955406abbbab5216cf5 |
| SHA512 | 719c9c86b9e31af4613555fbaa85215aab472ba27d59eb15df3ec44485669cd79895908096cf268a3502ce35de14f758545da1dae599bce214e09da99a51e336 |
memory/3384-4-0x0000000010000000-0x000000001004F000-memory.dmp
memory/3384-63087-0x0000000010000000-0x000000001004F000-memory.dmp