Malware Analysis Report

2025-08-11 07:35

Sample ID 241015-1pyvasyfpb
Target 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118
SHA256 b57fd996f2bcb3d3c09ead04b388a9fc619018985e26be74a65efbb4487462e2
Tags
adware bootkit discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b57fd996f2bcb3d3c09ead04b388a9fc619018985e26be74a65efbb4487462e2

Threat Level: Likely malicious

The file 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit discovery persistence stealer

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 21:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 21:50

Reported

2024-10-15 21:52

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\aaad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\aaad.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\03ca.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aaad.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0dr0.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0ddd.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\25b C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\30e6.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33u6.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03as.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0aa3.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\830e.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\13207944 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\aa0d.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64au.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864d.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0d06.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\733a.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64a.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\4acu.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d06d.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4780 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4780 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4780 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4780 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4780 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4780 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 4032 wrote to memory of 2908 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 4032 wrote to memory of 2908 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 4032 wrote to memory of 2908 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -i

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -s

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 6604017b97723459582278f29adf20d5
SHA1 6eec88c892a29bf10d20692b08561d74406e2e50
SHA256 d887f632b8652be987072fc87a418edf75b9bfaf7482976815b10b0cef7f3754
SHA512 4f6f9f02be6c6e244965238e0fdf191eeaafd1690b5e669b22f0064d67cb1128150b49ec691f58896d91439f81570f2467e4148147a3fbfc727148193eb526aa

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 8b648c94ec827c3424a2521364186891
SHA1 550bfd17903727aa4add841f27d4d9bf54377897
SHA256 c86d1230cd214571b3350c6db2a5f57083b23119feadaad9db388e666bfb00cc
SHA512 0564dd66eb92259f0594b83e2aa5f555751a1ee20ed39d12662c0ce13f95bc5860efa6807ac2035232a4bb46781e14c36d7acc5ea4db9fa1b893b4cec803b857

memory/2724-47-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 828ccba7ef24786cd58e94d15846a0c7
SHA1 1c0029ca95356f7cbc77e2a8c2954777dc22b48a
SHA256 12fb77c027354c279cad3dc9ba03bfbe75c2c2756c9d45be6a57e0e2378f48dd
SHA512 3adc2abddb2e1bbc7776a8abf9772cf100800d4c48bc193d5d7ceb2b8141ef0203a8868248995ee311ad0cc8c3561aa21fc98fe66ee8ddc50c5d4281299ed5cc

memory/3132-57-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3132-60-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1540-64-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-71-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2260-73-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2908-75-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/4032-79-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-80-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2908-81-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/4032-83-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-85-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-86-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2908-88-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/4032-89-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-91-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-92-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2908-93-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/4032-96-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-100-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-104-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-105-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-109-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-110-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-114-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-117-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-119-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-120-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-124-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-128-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-132-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-136-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-137-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4032-140-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4032-142-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 21:50

Reported

2024-10-15 21:52

Platform

win7-20240903-en

Max time kernel

147s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\aaad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\aaad.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\70l8.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0aa3.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0dr0.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03as.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\830e.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0ddd.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\-126-882516 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\1cd C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aaad.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\30e6.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dll C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33u6.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dlltmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\aa0d.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0d06.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\733a.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\4acu.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864d.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64a.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.exe C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d06d.flv C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64au.bmp C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2328 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1064 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -i

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -s

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 yahoo.com.cn udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 03e9030cbaf4175994fe67f84b1f155d
SHA1 767c1368adae868841650ecf87951d2251bc3c96
SHA256 7d274b8adfa036a114a2d34e747b42316c04c388b1f7d83d3c4de50f8b2a8ad1
SHA512 94210245c58b71b8237ebc17aa95b7b61bf41cd9ed3aab5cf9b4cfdf88332ee4c0cdc218af354ea6e9392034b9c3c862ca16cb6bacd144f107358bdd2f4a3ea5

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 19b3792652d33d6719232035fca1d111
SHA1 14b676a104d9e8bf889978d599e0a786e2486035
SHA256 fb01aeaab52e658cdf929c14f73dec26285b1a2258e852787e712628d12dccac
SHA512 18ecbb45591f129351eca106e847f7e5a1ad803b48b069b97b1b09108d4c1de8c16785255ec65a3b974f217c5a3d5307852042d51ed3a10fc7d78fbef75cb835

memory/2816-45-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 1df34f9eff7aef89bec15427fb63f232
SHA1 6e243da7d8f72ca670f36d337fb5a510074d1c13
SHA256 f401573e17067a7036e352fd4d6c6bec831f31c4c4d5cc0313f9ec9406136c59
SHA512 daedbf20868a531062418d30a865e82e63b7ddb1b87a27c89143e954f01659856d83101bd3fae43f1059c8e436e051b81c125249d4ad1a85c4b0d62c5530899b

memory/2328-54-0x0000000002200000-0x000000000221E000-memory.dmp

memory/2328-59-0x0000000002200000-0x000000000221E000-memory.dmp

memory/2920-61-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2584-73-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-71-0x0000000010000000-0x0000000010026000-memory.dmp

memory/1064-90-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2764-89-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2764-88-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2652-94-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-95-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-98-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2764-97-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2652-100-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-101-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2764-103-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2652-104-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-106-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-107-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2764-109-0x0000000010000000-0x00000000100B2000-memory.dmp

memory/2652-110-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-112-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-113-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-117-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-118-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-121-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-123-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-124-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-128-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-131-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-133-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-134-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-137-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-139-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-140-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-144-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-145-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-148-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-151-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-150-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-152-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-155-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-157-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-160-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-162-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-163-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-167-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-166-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-170-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-169-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2652-171-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2652-175-0x0000000010000000-0x0000000010026000-memory.dmp