Analysis Overview
SHA256
c9c2231837ae6c39dcb2b6bd1942e30de07fb082e4e89bac98805d0cacb88673
Threat Level: Likely malicious
The file 4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 00:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 00:30
Reported
2024-10-17 00:32
Platform
win7-20240903-en
Max time kernel
147s
Max time network
120s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\33ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\33ad.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\33ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\33ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\33ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\aado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer\ = "BHO.TwtPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID\ = "BHO.TwtPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID\ = "BHO.TwtPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ = "C:\\Windows\\SysWow64\\aado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\ = "CTwtPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ = "CTwtPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\ = "BHO 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\ = "CTwtPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/aado.dll"
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/aado.dll"
C:\Windows\SysWOW64\33ad.exe
C:\Windows\system32/33ad.exe -i
C:\Windows\SysWOW64\33ad.exe
C:\Windows\system32/33ad.exe -s
C:\Windows\SysWOW64\33ad.exe
C:\Windows\SysWOW64\33ad.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 122.zzso.cn | udp |
Files
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
| MD5 | 2cfd87c3eef65aaae8a566418e68b2ba |
| SHA1 | 09934582b4eca060d9b2b472c36cc4969e9e8f4c |
| SHA256 | 77743fd918213465eae1be00d8119f151f8dab69e05ee2c516302f129986279a |
| SHA512 | 8104dec2839a58a069c6ddc128673526d21e3c123c4d8067e8d7174478cd9832428e6e6dedeebcc9fd42f8774f75357998d923157f10e225cee6b900363c517d |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
| MD5 | 4f6ce63267d08ab538075ea356d9eccb |
| SHA1 | 018938262eb330fafa52614374c007b6bd60208c |
| SHA256 | 90f87bc8a26d85bac8738ca0b41985b6d6e238c85f830ae713ccc6ca8a0371b8 |
| SHA512 | e216663f9e36b8d5715ddd9a4a6e1184425759bca43414f1a34831a4c78f807d6e028d3c480e87fb4c4509900dce679554335d2c436aa351b56d905f71ef549b |
\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
| MD5 | bd1b591d151e429bcb674e593a5d568f |
| SHA1 | 9cd91cee15fcad50f2853743b581ebec1e535b3c |
| SHA256 | 856920c0868ceec051246d7c97c4a96f5836f3ab2abdbece35222c6eaf518c26 |
| SHA512 | e044bad8420b30bbd761dffef716a2d8fd34f3ff9a20b3a6c2d8a773aa752377e5edde1b02b1ab9ded72198b22bc3f8997e1a0fa25cb4288dd9b3efeaa2c7494 |
C:\Windows\Temp\tmp.exe
| MD5 | 86b5a7321575d9566c2a0d6fd5c06ebf |
| SHA1 | 417728dd2c778cff2b28d496a1897b5faa204b59 |
| SHA256 | 84a0670d1c653b85728074e13fb361a839870a596a3e2280f83026ade1dda468 |
| SHA512 | 0e92673b08268bb33310484e3de552952392875ff04767b0f7aad844b5ab2a0c1bc78e623f05a179ce1557f4a2649b34c720b8259fe714a7e0927bc0dbea0f5a |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
| MD5 | 6046b7447ef80c1bd324ce1e5d01a22a |
| SHA1 | e3ae80092138630737c12fe57991ffa117071479 |
| SHA256 | bacab1a9ba815a5533217ff432d3c2edf21f3f8ecdd8cf36f183e04c9e593a63 |
| SHA512 | 4bc29c866c9856a573d497cc53cc6199dcf5aa4e6e32f785e77a0fb5dd25efc0d7e643a8823186286be949f3e2cb76ae421d0e6f17908d2c6307e1e01ab708f0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 00:30
Reported
2024-10-17 00:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
104s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\33ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\33ad.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\33ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\33ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\ = "BHO 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\aado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID\ = "BHO.TwtPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID\ = "BHO.TwtPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ = "C:\\Windows\\SysWow64\\aado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\ = "CTwtPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ = "CTwtPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer\ = "BHO.TwtPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\ = "CTwtPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\33ad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/aado.dll"
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/aado.dll"
C:\Windows\SysWOW64\33ad.exe
C:\Windows\system32/33ad.exe -i
C:\Windows\SysWOW64\33ad.exe
C:\Windows\system32/33ad.exe -s
C:\Windows\SysWOW64\33ad.exe
C:\Windows\SysWOW64\33ad.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 122.zzso.cn | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 122.zzso.cn | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 122.zzso.cn | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
| MD5 | bf03c74940b9b8286a0e77e84925707d |
| SHA1 | e3506c50114fb7a1fdf613afd98e6cdb23ec057c |
| SHA256 | 5e412fce9301556b8008f53f20a5ec58d9f7e65446004279c37bbf8b66af4be8 |
| SHA512 | d4592d55c3b25addaf7750f065052e1bebe1aee8d42c14bb5f5b736403088e847340882d70e52eda2154b8ce8e8c9ba25f46116ac700a3206b12ca64417306bf |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
| MD5 | 86855e22ba73c1a121c6b7c6a9f56c8d |
| SHA1 | 66aa6c10ba074aaca38a942c5b83ad0661838a59 |
| SHA256 | 459b1d0f0c35f4ff88f00b937c2ce37153fa6b6df325a684e21291ebfd44b664 |
| SHA512 | 4348425b0604863ef80b64bbccef98af4a99f63e9c3cf943055b8f68c40d4002702409a0c13f928bbf0e579675097c97509dddfc401bb464d5c324593058061e |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
| MD5 | 93d4ccd3eea5fb85f8aac7921ecc5288 |
| SHA1 | 445e4536ec7b5a8536f7ce7bed25e4063e73e9e8 |
| SHA256 | 664c28f68195da2e46db979ef28345042c8b580eb3305c0b6241a1ab65d661a4 |
| SHA512 | 1fad239838095d129c816721049f0dfa374265f37f7d6dd563df553f8049d7b5b3ed5df5d50888d2bfcdc3174e868e3eb43f44635b35340a3c50c2383231b6ab |
C:\Windows\Temp\tmp.exe
| MD5 | 7ee5da3587f7364a816be1ffb5528321 |
| SHA1 | 3910e8f2b8b3c0cef79857513501f427d87b2827 |
| SHA256 | e17ed214d2e89a8f6b4228a121519b94cc4361c54c1741b8505e7736752e8752 |
| SHA512 | 385d291714704dacc6c4face0c171fba3e98dedbd44407c954596cef4265a711828568a5292b1da155c93e026614b0cda13fd183a406489f38e4bfa29c631f41 |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
| MD5 | f2c63e569ef696faf377c0f703759390 |
| SHA1 | cb815c600370d7ebe5bc306c2b48e4f618550262 |
| SHA256 | 608389f5f3ffb9d6f04b6f4209f6f0899282f79b99389999bbc1d43e3066facc |
| SHA512 | b8ee530b6a17f10020234ce04458232a2516267930f04bcb08224705f2c752ee6606cc19faaf900d931b20e20fe5aad86b36f011d1e8ec904cd28bd5066824b9 |