Malware Analysis Report

2025-08-11 04:31

Sample ID 250115-t2pc3azldk
Target JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9
SHA256 6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b

Threat Level: Shows suspicious behavior

The file JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 16:33

Reported

2025-01-15 16:35

Platform

win7-20240903-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dmutil32.exe N/A
N/A N/A C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File opened for modification C:\Windows\SysWOW64\2045796327 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File created C:\Windows\SysWOW64\dmutil32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File opened for modification C:\Windows\SysWOW64\dmutil32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File opened for modification C:\Windows\SysWOW64\2045796327 C:\Windows\SysWOW64\dmutil32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dmutil32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Tnsbjvyajo C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Tnsbjvyajo C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Tnsbjvyajo C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ea8361b-554b-4884-bcaf-c204afc9d680} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Software\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{c45e9028-2985-4bf5-8b13-8eeb9a25296f}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"

C:\Windows\SysWOW64\dmutil32.exe

C:\Windows\SysWOW64\dmutil32.exe

C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe

schutz

Network

N/A

Files

C:\Windows\SysWOW64\2045796327

MD5 ecd882f2dbfd7625915551727ddce092
SHA1 ecdbc1cefaaa0f5ef78016c4531b9eb74f195f9c
SHA256 dbe196113fe07ebc7650c6b9e57fd7376a286b0137b9dd821ac5c103b6cc04a5
SHA512 83b76814cb9a69909449c20c3cd77599a8b75d8203ae85d7534e2675f5b13c09904fd86cdcd6361b8d34ed66eb8ed2f4a2406dfc9412df90a16b4664e1cc7e2e

C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe

MD5 5c4bc26caed4fbeca8026e18b58eb0d9
SHA1 b325151aa6e6ba2155c4b81e51fa36aea9e62588
SHA256 6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
SHA512 992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10

memory/2812-28-0x0000000000489000-0x000000000048C000-memory.dmp

memory/2812-27-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\2045796327

MD5 dda01966a5980b296846651a96adaa6f
SHA1 8443bdcf0db537846a54f96317a6d1b1fa0917a9
SHA256 e7f5aabc475c6736833d079010b0775caa3928d529d5f2a2a3071cf470cffe86
SHA512 9b0e685cf3807f0ac4271c53475bd0a8236b3ba630d75788743991db8d29f0daa9c8dc770757f8c9f1431d1f04fb0d367302b75212548443622d2bfca5667816

memory/2556-24-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2812-5-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2812-6-0x0000000010000000-0x000000001008F000-memory.dmp

\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

MD5 039a15a688868e70e8f524dd085de889
SHA1 696707392807a8a12a186eace7f2988fa99d0410
SHA256 9df4737585de117e0de9b51cc4c047caf818cd3568c94b87a003a40ad99992fa
SHA512 8e6c40cf4241cf66adf0bd0cd5efb8621b92b2c444e3ec20daa02b36268a5aa9a70577ef8d480e3b6fea7b72f9c31657cddf5d4d652bc2403637dbdb9d0decd7

memory/2812-1-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2812-0-0x0000000000489000-0x000000000048C000-memory.dmp

memory/2556-41-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2728-44-0x0000000000400000-0x0000000000492000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 16:33

Reported

2025-01-15 16:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\odbctrac32.exe N/A
N/A N/A C:\ProgramData\agentactivationruntimewindows32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{136971C9-FED1-4571-9D36-A175B4E90C42} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\974975309 C:\Windows\SysWOW64\odbctrac32.exe N/A
File created C:\Windows\SysWOW64\agentactivationruntimewindows32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File opened for modification C:\Windows\SysWOW64\974975309 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File created C:\Windows\SysWOW64\odbctrac32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
File opened for modification C:\Windows\SysWOW64\odbctrac32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\agentactivationruntimewindows32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\odbctrac32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Hbsatpnuwd C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Hbsatpnuwd C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Hbsatpnuwd C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45d14cf6-0937-49bd-8298-07e84fc532fa} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{a35d3dea-816c-4752-80f2-6fb0e4f6396a}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32\ = "C:\\Windows\\SysWow64\\agentactivationruntimewindows32.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 2432 N/A C:\Windows\SysWOW64\odbctrac32.exe C:\ProgramData\agentactivationruntimewindows32.exe
PID 4492 wrote to memory of 2432 N/A C:\Windows\SysWOW64\odbctrac32.exe C:\ProgramData\agentactivationruntimewindows32.exe
PID 4492 wrote to memory of 2432 N/A C:\Windows\SysWOW64\odbctrac32.exe C:\ProgramData\agentactivationruntimewindows32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"

C:\Windows\SysWOW64\odbctrac32.exe

C:\Windows\SysWOW64\odbctrac32.exe

C:\ProgramData\agentactivationruntimewindows32.exe

schutz

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/640-0-0x0000000000489000-0x000000000048C000-memory.dmp

memory/640-1-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\agentactivationruntimewindows32.dll

MD5 039a15a688868e70e8f524dd085de889
SHA1 696707392807a8a12a186eace7f2988fa99d0410
SHA256 9df4737585de117e0de9b51cc4c047caf818cd3568c94b87a003a40ad99992fa
SHA512 8e6c40cf4241cf66adf0bd0cd5efb8621b92b2c444e3ec20daa02b36268a5aa9a70577ef8d480e3b6fea7b72f9c31657cddf5d4d652bc2403637dbdb9d0decd7

memory/640-6-0x0000000010000000-0x000000001008F000-memory.dmp

memory/640-10-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\odbctrac32.exe

MD5 5c4bc26caed4fbeca8026e18b58eb0d9
SHA1 b325151aa6e6ba2155c4b81e51fa36aea9e62588
SHA256 6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
SHA512 992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10

C:\Windows\SysWOW64\974975309

MD5 71723132c62124e5dd0d4e39bc72ece8
SHA1 338a09b62eea797f4335cf6019fbfdbaa410997d
SHA256 0d33358e318803c05f591c107ca9d8575635ccffcf3b33cfe5c44168ee5756de
SHA512 fc8827b5b1887127be940bf01e2db816f1a60263830e0b916e92e27f9c6a23b56bb0035004297778fe5a6554d5686cbb4894205b59a3f32a90bcd67eb1157baa

memory/4492-27-0x0000000000400000-0x0000000000492000-memory.dmp

memory/640-31-0x0000000000400000-0x0000000000492000-memory.dmp

memory/640-30-0x0000000000489000-0x000000000048C000-memory.dmp

C:\Windows\SysWOW64\974975309

MD5 3670d2494d8baec069f3a068668fd463
SHA1 1a68de1762b920fbe19385fb3d1a262a30bb1ceb
SHA256 1451f3e2dca6c70601925d813f52b7c84988c702ccb2c07c57a598126a23ea56
SHA512 9ef097bd95428bff95d3a9cfb0f93538d664f9908e74420980ba5fe289fefcb78f19349d2dabe7d907c1614c112d5a5355dccfcc82466eb9f6813adec49ac74c

memory/2432-38-0x0000000000400000-0x0000000000492000-memory.dmp

memory/4492-40-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2432-42-0x0000000000400000-0x0000000000492000-memory.dmp