Analysis Overview
SHA256
a56f3f1de63018a920e530c775228c087357eed8122019b88a5d1d3d84c64e53
Threat Level: Likely malicious
The file 0114581bad4260366554aa8aca92cf6e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 03:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 03:30
Reported
2024-06-22 03:33
Platform
win7-20240611-en
Max time kernel
147s
Max time network
119s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\b55d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\b55d.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"
C:\Windows\SysWOW64\b55d.exe
C:\Windows\system32\b55d.exe -i
C:\Windows\SysWOW64\b55d.exe
C:\Windows\system32\b55d.exe -s
C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 122.zzso.cn | udp |
Files
memory/2644-0-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2644-1-0x00000000002A0000-0x0000000000312000-memory.dmp
memory/2644-3-0x0000000000260000-0x0000000000262000-memory.dmp
memory/2644-2-0x00000000002A0000-0x0000000000312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
| MD5 | 09e68bea9f7f56e137d5ae797f727d1d |
| SHA1 | c345aef59078242347f7592faa65487a3c2b600f |
| SHA256 | d11c6d1ce3edb1f6ab477c22e7a67119bb3b85deeecd64e8b6b28a8d36d5c464 |
| SHA512 | 57c9e0373216dab7e0bc9afe8741438d692fae3f95ec8db2501131266fe30a8a18e22e253ee358b8f3079ea0267575dff5681f4e5d9cd6cbcfceeac1a3fdb8a2 |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
| MD5 | 38daeef9d74e414adf1caf6a6f8684dc |
| SHA1 | a7fa6792ae5a836ec72fca8ba897454a50cf99cc |
| SHA256 | 930f5716c85bdc30236ee1d3cc4d07e068adca9360e8477704ec79be1a874378 |
| SHA512 | 5e72b0c97e99f0a2ef432572746c9b4554d45f872923e61093cce613294b1d93d5c0d6e8fe5cb6a8e441c0920342f4040319bdddc0f4f173d941d27276aaf949 |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\4.dll
| MD5 | 7eee3aa14ae66dbae2a8e3382a6d79dc |
| SHA1 | 22f87749fa3c5db7179ea0b2bb5146350fc8f0a8 |
| SHA256 | ea42ed765cb892ef9f15fee7f65a67751f7adf559df3fa93b2d4f9428b3fa375 |
| SHA512 | dc7b63926e8cf066548ef2b83472c4f8d6c84e17080607b5022a0e498fd7c7271269537836a668469e33efa343e1f979b0b314986bae29078333435bb33fde9e |
memory/2644-66-0x0000000000320000-0x000000000033D000-memory.dmp
memory/2644-65-0x0000000000320000-0x000000000033D000-memory.dmp
memory/2600-68-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2600-74-0x0000000000230000-0x000000000024D000-memory.dmp
memory/2600-73-0x0000000000230000-0x000000000024D000-memory.dmp
memory/2600-75-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2644-79-0x0000000000320000-0x000000000033D000-memory.dmp
memory/1460-82-0x0000000000230000-0x000000000024D000-memory.dmp
memory/1828-85-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1460-86-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2644-88-0x0000000000260000-0x0000000000262000-memory.dmp
memory/1828-89-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2644-95-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2316-108-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1480-107-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/2316-106-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/2316-105-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1828-112-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-113-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-116-0x0000000010000000-0x0000000010024000-memory.dmp
memory/2316-115-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1828-118-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-119-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2316-121-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1828-123-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-124-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2316-126-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1828-128-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-131-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-133-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-137-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-138-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-142-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-143-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-147-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-148-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-152-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-156-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-159-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-161-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-165-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-169-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-172-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-173-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-175-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1828-177-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-179-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1828-180-0x0000000010000000-0x0000000010024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 03:30
Reported
2024-06-22 03:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\b55d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\b55d.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\b55d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0114581bad4260366554aa8aca92cf6e_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"
C:\Windows\SysWOW64\b55d.exe
C:\Windows\system32\b55d.exe -i
C:\Windows\SysWOW64\b55d.exe
C:\Windows\system32\b55d.exe -s
C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 163.com | udp |
| US | 8.8.8.8:53 | sohu.com | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 163.com | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 163.com | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 163.com | udp |
Files
memory/432-1-0x0000000002090000-0x0000000002092000-memory.dmp
memory/432-0-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
| MD5 | ac6bc5dbe4279b83d53f25efe7948e86 |
| SHA1 | 917a006474cf368d781ad6f776344ab74fd5c237 |
| SHA256 | 735417026f1a4d2bef5f15614c01a4317e24df53972ce7cfd5103fd3028ee824 |
| SHA512 | c7df55157633a309533f284c39cd957a4aa4a7858c8e7e663ae1fdd65210fa14005fa3cfc44833b28d084faa34e6ea6d418a2943a17338dc3b00835209f9395b |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
| MD5 | b541eeaa97f82c40e6bf93975c389c0f |
| SHA1 | f1de976a13040a805e2b0896348c5b4d0ed296a1 |
| SHA256 | 53b42a5ff3309a7defb631af2af463fcb6de1da577677f0efb3414cc97d41564 |
| SHA512 | cea85dcad2bb73398685fb7e83ef311c8f9e01b5fadd274cfb86e19d3bba533a42ca3762cedd8f0763cf7ab2807b46050d03dfa12de616a755577068cfd85c93 |
memory/2436-49-0x0000000010000000-0x0000000010024000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\4.dll
| MD5 | eabfedfc3780d2c372477d20248bc1d7 |
| SHA1 | a1514f82fe7a7b7cf4c94464e59fa1dd228d795d |
| SHA256 | 778e3eb418ba2333694c33150cb2bcbfc3c666bd9e948680ef97daeb74d55468 |
| SHA512 | fc2b5beb5dccd769e8ed110f974bb4e6161d0fbdb9291b5797bcad911f911048a4c9021bcef2b73283c9557e3ccc7a16dc0cb3c1cff66094736c039c1344195f |
memory/3516-59-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3516-62-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-66-0x0000000010000000-0x0000000010024000-memory.dmp
memory/4236-68-0x0000000000400000-0x000000000041D000-memory.dmp
memory/432-75-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3964-79-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/2512-78-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1872-83-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-84-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2512-86-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/1872-87-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-89-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-90-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-93-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-95-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-96-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-99-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-101-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-102-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-105-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-107-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-108-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-111-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-113-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-116-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-118-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-119-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-122-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-124-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-125-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-128-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-130-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-131-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-134-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-136-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-137-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-140-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-142-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-143-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-146-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-148-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-149-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-152-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-154-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-155-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-158-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-160-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-161-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1872-164-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1872-166-0x0000000010000000-0x0000000010024000-memory.dmp