Malware Analysis Report

2025-01-22 16:26

Sample ID 241001-d78e5aydqk
Target 043c92cfe42149c314c13bbbeaf24110_JaffaCakes118
SHA256 1ddea188db63931fb7c1ac9d6aa863f84a2e82639111543ba3e7b08a52bd8ad9
Tags
gozi adware banker discovery isfb stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ddea188db63931fb7c1ac9d6aa863f84a2e82639111543ba3e7b08a52bd8ad9

Threat Level: Known bad

The file 043c92cfe42149c314c13bbbeaf24110_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi adware banker discovery isfb stealer trojan upx

Gozi

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Installs/modifies Browser Helper Object

Drops file in System32 directory

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 03:40

Reported

2024-10-01 03:42

Platform

win7-20240704-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msxml71.dll C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0 C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1 C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe"

Network

N/A

Files

memory/2296-1204-0x0000000010000000-0x000000001004F000-memory.dmp

\Windows\SysWOW64\msxml71.dll

MD5 b975d1279081e67bfc5160611913f56f
SHA1 5d08f86258cdba2854ca0b163c4f3051eefa7e86
SHA256 e407e314df1d3ba572ff8371a07ff9677e1c6fa5a4e4e955406abbbab5216cf5
SHA512 719c9c86b9e31af4613555fbaa85215aab472ba27d59eb15df3ec44485669cd79895908096cf268a3502ce35de14f758545da1dae599bce214e09da99a51e336

memory/2296-8643-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8642-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8641-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8640-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8639-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8638-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8637-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8636-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8635-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8634-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8633-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8632-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8631-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8630-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8629-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8628-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8627-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8626-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8625-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8624-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8623-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8622-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8621-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8620-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8619-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8618-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8617-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8616-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8615-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8614-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8613-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8612-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8611-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8610-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8609-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8608-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8607-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8606-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8605-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8604-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8603-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8602-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8601-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8600-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8599-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8598-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8597-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8596-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8595-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8594-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8593-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8592-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8591-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8590-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8589-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8588-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8587-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8586-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8585-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-8584-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-19913-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-19912-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-19911-0x0000000000090000-0x0000000000190000-memory.dmp

memory/2296-19910-0x0000000000090000-0x0000000000190000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 03:40

Reported

2024-10-01 03:42

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msxml71.dll C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0 C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1 C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\043c92cfe42149c314c13bbbeaf24110_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\msxml71.dll

MD5 b975d1279081e67bfc5160611913f56f
SHA1 5d08f86258cdba2854ca0b163c4f3051eefa7e86
SHA256 e407e314df1d3ba572ff8371a07ff9677e1c6fa5a4e4e955406abbbab5216cf5
SHA512 719c9c86b9e31af4613555fbaa85215aab472ba27d59eb15df3ec44485669cd79895908096cf268a3502ce35de14f758545da1dae599bce214e09da99a51e336

memory/3384-4-0x0000000010000000-0x000000001004F000-memory.dmp

memory/3384-63087-0x0000000010000000-0x000000001004F000-memory.dmp