Malware Analysis Report

2025-01-18 22:03

Sample ID 240622-d2ynqszcqr
Target 0114581bad4260366554aa8aca92cf6e_JaffaCakes118
SHA256 a56f3f1de63018a920e530c775228c087357eed8122019b88a5d1d3d84c64e53
Tags
adware bootkit persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a56f3f1de63018a920e530c775228c087357eed8122019b88a5d1d3d84c64e53

Threat Level: Likely malicious

The file 0114581bad4260366554aa8aca92cf6e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit persistence stealer

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 03:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 03:30

Reported

2024-06-22 03:33

Platform

win7-20240611-en

Max time kernel

147s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\b55d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\b55d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\b55d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4bl4.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4bl4.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bba6.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c6cb.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c35s.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\b33d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\46be.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\3ce8.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c6cb.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\353r.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4b3o.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\8010412720 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b3rc.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\36ud.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\353r.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4b3o.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\3cccd2 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\480.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d48.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\80a.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0acu.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\80au.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\b5b3.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\b3cd.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\436b.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d48d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\3cdd.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\480d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d48d.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 2644 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 1480 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"

C:\Windows\SysWOW64\b55d.exe

C:\Windows\system32\b55d.exe -i

C:\Windows\SysWOW64\b55d.exe

C:\Windows\system32\b55d.exe -s

C:\Windows\SysWOW64\b55d.exe

C:\Windows\SysWOW64\b55d.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp

Files

memory/2644-0-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2644-1-0x00000000002A0000-0x0000000000312000-memory.dmp

memory/2644-3-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2644-2-0x00000000002A0000-0x0000000000312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 09e68bea9f7f56e137d5ae797f727d1d
SHA1 c345aef59078242347f7592faa65487a3c2b600f
SHA256 d11c6d1ce3edb1f6ab477c22e7a67119bb3b85deeecd64e8b6b28a8d36d5c464
SHA512 57c9e0373216dab7e0bc9afe8741438d692fae3f95ec8db2501131266fe30a8a18e22e253ee358b8f3079ea0267575dff5681f4e5d9cd6cbcfceeac1a3fdb8a2

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 38daeef9d74e414adf1caf6a6f8684dc
SHA1 a7fa6792ae5a836ec72fca8ba897454a50cf99cc
SHA256 930f5716c85bdc30236ee1d3cc4d07e068adca9360e8477704ec79be1a874378
SHA512 5e72b0c97e99f0a2ef432572746c9b4554d45f872923e61093cce613294b1d93d5c0d6e8fe5cb6a8e441c0920342f4040319bdddc0f4f173d941d27276aaf949

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\4.dll

MD5 7eee3aa14ae66dbae2a8e3382a6d79dc
SHA1 22f87749fa3c5db7179ea0b2bb5146350fc8f0a8
SHA256 ea42ed765cb892ef9f15fee7f65a67751f7adf559df3fa93b2d4f9428b3fa375
SHA512 dc7b63926e8cf066548ef2b83472c4f8d6c84e17080607b5022a0e498fd7c7271269537836a668469e33efa343e1f979b0b314986bae29078333435bb33fde9e

memory/2644-66-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2644-65-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2600-68-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2600-74-0x0000000000230000-0x000000000024D000-memory.dmp

memory/2600-73-0x0000000000230000-0x000000000024D000-memory.dmp

memory/2600-75-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2644-79-0x0000000000320000-0x000000000033D000-memory.dmp

memory/1460-82-0x0000000000230000-0x000000000024D000-memory.dmp

memory/1828-85-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1460-86-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2644-88-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1828-89-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2644-95-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2316-108-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1480-107-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2316-106-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2316-105-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1828-112-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-113-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-116-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2316-115-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1828-118-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-119-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2316-121-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1828-123-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-124-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2316-126-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1828-128-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-131-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-133-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-137-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-138-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-142-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-143-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-147-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-148-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-152-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-156-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-159-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-161-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-165-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-169-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-172-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-173-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-175-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1828-177-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-179-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1828-180-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 03:30

Reported

2024-06-22 03:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\b55d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\b55d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\b3rc.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c6cb.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\87-108-30-69 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\1f74 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\3ce8.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\36ud.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c6cb.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\353r.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\46be.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\b55d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4bl4.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c35s.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\b33d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\353r.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4bl4.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bba6.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4b3o.dll C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\4b3o.dlltmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\0acu.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\b3cd.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\436b.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d48d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\3cdd.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\80a.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\80au.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\b5b3.bmp C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\480.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d48.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\480d.exe C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d48d.flv C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A
N/A N/A C:\Windows\SysWOW64\b55d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 432 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 432 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 432 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 432 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 432 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 432 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\b55d.exe
PID 432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 1872 wrote to memory of 3964 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1872 wrote to memory of 3964 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1872 wrote to memory of 3964 N/A C:\Windows\SysWOW64\b55d.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"

C:\Windows\SysWOW64\b55d.exe

C:\Windows\system32\b55d.exe -i

C:\Windows\SysWOW64\b55d.exe

C:\Windows\system32\b55d.exe -s

C:\Windows\SysWOW64\b55d.exe

C:\Windows\SysWOW64\b55d.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 163.com udp
US 8.8.8.8:53 sohu.com udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 163.com udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 163.com udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 163.com udp

Files

memory/432-1-0x0000000002090000-0x0000000002092000-memory.dmp

memory/432-0-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 ac6bc5dbe4279b83d53f25efe7948e86
SHA1 917a006474cf368d781ad6f776344ab74fd5c237
SHA256 735417026f1a4d2bef5f15614c01a4317e24df53972ce7cfd5103fd3028ee824
SHA512 c7df55157633a309533f284c39cd957a4aa4a7858c8e7e663ae1fdd65210fa14005fa3cfc44833b28d084faa34e6ea6d418a2943a17338dc3b00835209f9395b

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 b541eeaa97f82c40e6bf93975c389c0f
SHA1 f1de976a13040a805e2b0896348c5b4d0ed296a1
SHA256 53b42a5ff3309a7defb631af2af463fcb6de1da577677f0efb3414cc97d41564
SHA512 cea85dcad2bb73398685fb7e83ef311c8f9e01b5fadd274cfb86e19d3bba533a42ca3762cedd8f0763cf7ab2807b46050d03dfa12de616a755577068cfd85c93

memory/2436-49-0x0000000010000000-0x0000000010024000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\4.dll

MD5 eabfedfc3780d2c372477d20248bc1d7
SHA1 a1514f82fe7a7b7cf4c94464e59fa1dd228d795d
SHA256 778e3eb418ba2333694c33150cb2bcbfc3c666bd9e948680ef97daeb74d55468
SHA512 fc2b5beb5dccd769e8ed110f974bb4e6161d0fbdb9291b5797bcad911f911048a4c9021bcef2b73283c9557e3ccc7a16dc0cb3c1cff66094736c039c1344195f

memory/3516-59-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3516-62-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-66-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4236-68-0x0000000000400000-0x000000000041D000-memory.dmp

memory/432-75-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3964-79-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2512-78-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1872-83-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-84-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2512-86-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1872-87-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-89-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-90-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-93-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-95-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-96-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-99-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-101-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-102-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-105-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-107-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-108-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-111-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-113-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-116-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-118-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-119-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-122-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-124-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-125-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-128-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-130-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-131-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-134-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-136-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-137-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-140-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-142-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-143-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-146-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-148-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-149-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-152-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-154-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-155-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-158-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-160-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-161-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1872-164-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1872-166-0x0000000010000000-0x0000000010024000-memory.dmp