Malware Analysis Report

2025-01-18 22:28

Sample ID 240504-rhtsbsgb2y
Target 13139d28789f574157b034cab3747cf7_JaffaCakes118
SHA256 05c5863b608f27843b7fedbf54d09c36a8882330999ab8f49e7776a5a61a40a8
Tags
adware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

05c5863b608f27843b7fedbf54d09c36a8882330999ab8f49e7776a5a61a40a8

Threat Level: Shows suspicious behavior

The file 13139d28789f574157b034cab3747cf7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer upx

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Drops startup file

Loads dropped DLL

UPX packed file

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 14:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 14:12

Reported

2024-05-04 14:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\NoExplorer = "1" C:\Windows\SysWOW64\Regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wybho.dll C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Thunder.dll C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\ = "xlhelper Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID\ = "WYBHO.wybhotool" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\ = "xlhelper Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CurVer C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CurVer\ = "Thunder.xlhelper.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "WYBHO.wybhotool.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "wybhotool Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID\ = "Thunder.xlhelper.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\ = "C:\\Windows\\SysWow64\\Thunder.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ = "xlhelper Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\ = "WYBHO 1.0 Type Library" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID\ = "Thunder.xlhelper" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\Programmable C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2664 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s "C:\Windows\system32\wybho.dll"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s "C:\Windows\system32\Thunder.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "

Network

N/A

Files

memory/2664-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\wybho.dll

MD5 68b65524748712b97a3ece67887a8c57
SHA1 b902b20b96b89ae5a328fc9480aa74eb102d3f58
SHA256 7725e0ab99614776160cec3509d24b91607ac61be17f731b51fa418246bac7c1
SHA512 8b3fc11f09fd72cb8fa4512feee90680d018152d6690ffba2f1f919b52f6ac2143cca0da1c7f2fd5e2c9f59065594e1e7beda4becdb1c3992870539beb161f2e

memory/2424-7-0x0000000010000000-0x0000000010032000-memory.dmp

C:\Windows\SysWOW64\Thunder.dll

MD5 eaf8239add44ac986a321565efdfead9
SHA1 8129182ad7be9ef58a0d9a8a44f87f2c9133cbb2
SHA256 c68e173f06f9db9334f0e0ff3a8b9f4e51963df33557658bfbadc36764a0ae66
SHA512 4fd17dfc1bac645f525c3e08623df6940096bcec459489eb019e855c679742fbfbf926bc8072e4214c1d2cc4322a5f4f92a66e5ae1ad271701d93e4eb7e44960

C:\Users\Admin\AppData\Local\Temp\123.bat

MD5 2616cc4f9600fee017bc361aa5285c7d
SHA1 1a5523357e6f13839de87a3d4adb0048b307726e
SHA256 6214839f639ddcd7e54ef2d59749334dff5abfd252a4758c2afc817d4cb4995f
SHA512 9dbed95bf2d4476c362c0ea45eb5d0f41fe502927bd7438e60511c7d7a1ab5be278cbf4caf435a3678f20c5227c9a47e71f490c48589d5dd23624948f2cb5da9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 14:12

Reported

2024-05-04 14:14

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\NoExplorer = "1" C:\Windows\SysWOW64\Regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wybho.dll C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Thunder.dll C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Thunder.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "WYBHO.wybhotool.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID\ = "Thunder.xlhelper" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\Programmable C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID\ = "WYBHO.wybhotool" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\ = "WYBHO 1.0 Type Library" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\ = "C:\\Windows\\SysWow64\\Thunder.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\ = "xlhelper Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "wybhotool Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\ = "xlhelper Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ = "xlhelper Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\13139d28789f574157b034cab3747cf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s "C:\Windows\system32\wybho.dll"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s "C:\Windows\system32\Thunder.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/5064-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\wybho.dll

MD5 68b65524748712b97a3ece67887a8c57
SHA1 b902b20b96b89ae5a328fc9480aa74eb102d3f58
SHA256 7725e0ab99614776160cec3509d24b91607ac61be17f731b51fa418246bac7c1
SHA512 8b3fc11f09fd72cb8fa4512feee90680d018152d6690ffba2f1f919b52f6ac2143cca0da1c7f2fd5e2c9f59065594e1e7beda4becdb1c3992870539beb161f2e

memory/4420-7-0x0000000010000000-0x0000000010032000-memory.dmp

C:\Windows\SysWOW64\Thunder.dll

MD5 eaf8239add44ac986a321565efdfead9
SHA1 8129182ad7be9ef58a0d9a8a44f87f2c9133cbb2
SHA256 c68e173f06f9db9334f0e0ff3a8b9f4e51963df33557658bfbadc36764a0ae66
SHA512 4fd17dfc1bac645f525c3e08623df6940096bcec459489eb019e855c679742fbfbf926bc8072e4214c1d2cc4322a5f4f92a66e5ae1ad271701d93e4eb7e44960

C:\Users\Admin\AppData\Local\Temp\123.bat

MD5 2616cc4f9600fee017bc361aa5285c7d
SHA1 1a5523357e6f13839de87a3d4adb0048b307726e
SHA256 6214839f639ddcd7e54ef2d59749334dff5abfd252a4758c2afc817d4cb4995f
SHA512 9dbed95bf2d4476c362c0ea45eb5d0f41fe502927bd7438e60511c7d7a1ab5be278cbf4caf435a3678f20c5227c9a47e71f490c48589d5dd23624948f2cb5da9