Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-w9vk6aej6s
Target JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c
SHA256 4e9b4f9514c6277b7b47aae11ba263d1bfde2fa9460177dec226e61630ccb70f
Tags
adware discovery spyware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

4e9b4f9514c6277b7b47aae11ba263d1bfde2fa9460177dec226e61630ccb70f

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Installs/modifies Browser Helper Object

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:37

Reported

2025-07-04 18:40

Platform

win10v2004-20250610-en

Max time kernel

112s

Max time network

139s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "BrowserPanel" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\ = "QuickFlash 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\BLOD = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\TypeLib\ = "{4645A0E0-7B59-439A-BB73-D4159321E09B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "BrowserPanel" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\SJBC = "300" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\CUDA = "5310" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\TypeLib\ = "{4645A0E0-7B59-439A-BB73-D4159321E09B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\FSHS = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4645A0E0-7B59-439A-BB73-D4159321E09B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C86B82BE-3E84-4F71-8323-F12BB71D9CB2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5528 wrote to memory of 2500 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5528 wrote to memory of 2500 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5528 wrote to memory of 2500 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c26cdd6b517bdb01e668899a9101c.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A