Malware Analysis Report

2025-08-06 01:36

Sample ID 241016-11nhpsvhrg
Target 4f4895f86b7a1c708892711e46132e3d_JaffaCakes118
SHA256 c5e685dd65228c0237e01b5467333f08b7de33ee15b320b6b21f687b6c8c564a
Tags
adware bootkit discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c5e685dd65228c0237e01b5467333f08b7de33ee15b320b6b21f687b6c8c564a

Threat Level: Likely malicious

The file 4f4895f86b7a1c708892711e46132e3d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit discovery persistence stealer

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:07

Reported

2024-10-16 22:09

Platform

win7-20240903-en

Max time kernel

147s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\aaad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\aaad.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\830e.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0aa3.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\0299 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0ddd.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\-10889-1992 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\30e6.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03as.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aaad.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0dr0.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33u6.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\64a.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\4acu.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\aa0d.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0d06.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\733a.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d06d.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64au.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864d.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3024 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -i

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -s

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 yahoo.com.cn udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 ebd5936e818cd71abd71febce443ee74
SHA1 b8bc8a6b1d7a09d4da389219f8dfed1a0ea66572
SHA256 58aa2311c7ffbc780b596bb9013805a98eed982b3661a77672affa2a11dc99c5
SHA512 7a7f1b7b169ef7034507c7b84479041f484cbcee5ee6de79e38738c77e36d4be006bbc3e1bb2c1a52d6b91ad1f15d5da1478fd781ed36dc4f29898f26f82baa8

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 70bb23073ea04ec7dbcd3551c34a88b4
SHA1 807a8e171467d233cd1a3e781835e12e173c977a
SHA256 b3a3d49907af8f91e7b91bc405cb488b284f204695f171cc43ef5f580875c26b
SHA512 55d4cdcfefd03ce682d261a9a1dc8de2b8db25ec3b29be0e0b7b839a9680d1f4e94b220e726870b82f5f1a34b770ebac8f52cfb4c5a536e761d54fbe1c3ee1dc

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 6c10c7a65f4d0f0d99bae8ffafd7bc4a
SHA1 be2ca7754c25883eafd6f360aca0ef4f7b6fda42
SHA256 4c64de9142b676b890e4f0f13f1fed5c25736c3219a2922e2f779c2cb2fffd39
SHA512 9a8af5d2a3257283c7d5498290eba4880a3f93799a2dcb36043fc65957d34054dbf3ec8b0b3eea305907ea31875a9f60ff59e74291881d1eb685a0d1149a8410

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:07

Reported

2024-10-16 22:09

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\aaad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User" C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\aaad.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\1957 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\30e6.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0aa3.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03as.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0ddd.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\8ado.dlltmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0dr0.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33u6.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\830e.dll C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aaad.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\-1332-10549 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\4acu.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d06d.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64au.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\aa0d.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0d06.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64a.bmp C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\733a.flv C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864d.exe C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\aaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A
N/A N/A C:\Windows\SysWOW64\aaad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4436 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4436 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4436 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4436 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4436 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4436 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\aaad.exe
PID 4436 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 1536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe
PID 1536 wrote to memory of 1040 N/A C:\Windows\SysWOW64\aaad.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -i

C:\Windows\SysWOW64\aaad.exe

C:\Windows\system32\aaad.exe -s

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\aaad.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 326c38b450d4e8e00968e0b1f6470401
SHA1 56ffac17a189af0302346b829797f72d5d4658fc
SHA256 7163befb152d3924597568f5a010d855e1ced00d26b7eed3d367bd55bd3459f0
SHA512 462ec813832c05ba78d345ea09397e27f8630739d0e5f81f7ea5adf345c4eabcc59e4d0dc3d504cd7beb670bfac7ea863c5449e04fb1f50c559df0710ebe98fe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 60845b09acf8516709e44fe3a05ef6a5
SHA1 1b837b76a6fa7a9c05fb9cf0150ff1d27c3a46aa
SHA256 82a4598ca45690f241bcd0282675f4bd5bd3dc89e8c360c74452ec1c039d72f7
SHA512 5a34e4c18e36614c29029757e48b30452978c6620664605c878c15acebc6fa75ada9bae89bf6e860ea8e62a4ceb15d8583fe33bafc1312b74549fa4a35ef5d9e

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 d8933fe3737dc8279462b9f16a6cb8b7
SHA1 3c961e43b52b3fee3f1b471cad2faa6a450e7a62
SHA256 e571256bdf9d2ed71fc8aebb1b37af1256b6dbe9790034a9af95e3aa2a023004
SHA512 66feb528794ef0416951a460ab5c934d1398fcc78a513d3ad6f0aa9de56403c5231855d3c23cef238f1b85f9370fe0d726e385aa0da449f66b1a665fefc4f1be