Malware Analysis Report

2025-08-05 10:49

Sample ID 241017-atjytsvgpj
Target 4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118
SHA256 c9c2231837ae6c39dcb2b6bd1942e30de07fb082e4e89bac98805d0cacb88673
Tags
adware bootkit discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c9c2231837ae6c39dcb2b6bd1942e30de07fb082e4e89bac98805d0cacb88673

Threat Level: Likely malicious

The file 4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit discovery persistence stealer

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 00:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 00:30

Reported

2024-10-17 00:32

Platform

win7-20240903-en

Max time kernel

147s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\33ad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\33ad.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ˆó%-8-3957-24 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\0dr0.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0aa3.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0ddd.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33ad.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aado.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aado.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\330e.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\0b6 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03as.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\30e6.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33u6.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\864.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\aa0d.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0d06.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\733a.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64a.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\4acu.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d06d.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686u.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\33ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\33ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\33ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\aado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer\ = "BHO.TwtPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID\ = "BHO.TwtPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID\ = "BHO.TwtPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ = "C:\\Windows\\SysWow64\\aado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\ = "CTwtPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ = "CTwtPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\ = "CTwtPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2060 wrote to memory of 1636 N/A C:\Windows\SysWOW64\33ad.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/aado.dll"

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/aado.dll"

C:\Windows\SysWOW64\33ad.exe

C:\Windows\system32/33ad.exe -i

C:\Windows\SysWOW64\33ad.exe

C:\Windows\system32/33ad.exe -s

C:\Windows\SysWOW64\33ad.exe

C:\Windows\SysWOW64\33ad.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 2cfd87c3eef65aaae8a566418e68b2ba
SHA1 09934582b4eca060d9b2b472c36cc4969e9e8f4c
SHA256 77743fd918213465eae1be00d8119f151f8dab69e05ee2c516302f129986279a
SHA512 8104dec2839a58a069c6ddc128673526d21e3c123c4d8067e8d7174478cd9832428e6e6dedeebcc9fd42f8774f75357998d923157f10e225cee6b900363c517d

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 4f6ce63267d08ab538075ea356d9eccb
SHA1 018938262eb330fafa52614374c007b6bd60208c
SHA256 90f87bc8a26d85bac8738ca0b41985b6d6e238c85f830ae713ccc6ca8a0371b8
SHA512 e216663f9e36b8d5715ddd9a4a6e1184425759bca43414f1a34831a4c78f807d6e028d3c480e87fb4c4509900dce679554335d2c436aa351b56d905f71ef549b

\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe

MD5 bd1b591d151e429bcb674e593a5d568f
SHA1 9cd91cee15fcad50f2853743b581ebec1e535b3c
SHA256 856920c0868ceec051246d7c97c4a96f5836f3ab2abdbece35222c6eaf518c26
SHA512 e044bad8420b30bbd761dffef716a2d8fd34f3ff9a20b3a6c2d8a773aa752377e5edde1b02b1ab9ded72198b22bc3f8997e1a0fa25cb4288dd9b3efeaa2c7494

C:\Windows\Temp\tmp.exe

MD5 86b5a7321575d9566c2a0d6fd5c06ebf
SHA1 417728dd2c778cff2b28d496a1897b5faa204b59
SHA256 84a0670d1c653b85728074e13fb361a839870a596a3e2280f83026ade1dda468
SHA512 0e92673b08268bb33310484e3de552952392875ff04767b0f7aad844b5ab2a0c1bc78e623f05a179ce1557f4a2649b34c720b8259fe714a7e0927bc0dbea0f5a

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 6046b7447ef80c1bd324ce1e5d01a22a
SHA1 e3ae80092138630737c12fe57991ffa117071479
SHA256 bacab1a9ba815a5533217ff432d3c2edf21f3f8ecdd8cf36f183e04c9e593a63
SHA512 4bc29c866c9856a573d497cc53cc6199dcf5aa4e6e32f785e77a0fb5dd25efc0d7e643a8823186286be949f3e2cb76ae421d0e6f17908d2c6307e1e01ab708f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 00:30

Reported

2024-10-17 00:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\33ad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\33ad.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\70l8.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03ca.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33ad.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\887160-127 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\04c3 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\30e6.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0dr0.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0aa3.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\330e.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aado.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aado.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\70l8.dlltmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\33u6.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\03as.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\da3r.dll C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\0ddd.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\686.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\d06d.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686u.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\aa0d.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\733a.flv C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\64a.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\864.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\4acu.bmp C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\686d.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\ms.job C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\0d06.exe C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\33ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\33ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\aado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID\ = "BHO.TwtPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID\ = "BHO.TwtPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ = "C:\\Windows\\SysWow64\\aado.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\ = "CTwtPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ = "CTwtPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "ITwtPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer\CurVer\ = "BHO.TwtPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\ = "CTwtPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TwtPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A
N/A N/A C:\Windows\SysWOW64\33ad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 3204 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 3204 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe
PID 3204 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 3204 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 3204 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 3204 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 3204 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 3204 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\33ad.exe
PID 3204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 3204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 3204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3512 N/A C:\Windows\SysWOW64\33ad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3512 N/A C:\Windows\SysWOW64\33ad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3512 N/A C:\Windows\SysWOW64\33ad.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fdf9ea8cab06346f3cec7a9382b4f6b_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/aado.dll"

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/aado.dll"

C:\Windows\SysWOW64\33ad.exe

C:\Windows\system32/33ad.exe -i

C:\Windows\SysWOW64\33ad.exe

C:\Windows\system32/33ad.exe -s

C:\Windows\SysWOW64\33ad.exe

C:\Windows\SysWOW64\33ad.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 bf03c74940b9b8286a0e77e84925707d
SHA1 e3506c50114fb7a1fdf613afd98e6cdb23ec057c
SHA256 5e412fce9301556b8008f53f20a5ec58d9f7e65446004279c37bbf8b66af4be8
SHA512 d4592d55c3b25addaf7750f065052e1bebe1aee8d42c14bb5f5b736403088e847340882d70e52eda2154b8ce8e8c9ba25f46116ac700a3206b12ca64417306bf

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 86855e22ba73c1a121c6b7c6a9f56c8d
SHA1 66aa6c10ba074aaca38a942c5b83ad0661838a59
SHA256 459b1d0f0c35f4ff88f00b937c2ce37153fa6b6df325a684e21291ebfd44b664
SHA512 4348425b0604863ef80b64bbccef98af4a99f63e9c3cf943055b8f68c40d4002702409a0c13f928bbf0e579675097c97509dddfc401bb464d5c324593058061e

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\msn.exe

MD5 93d4ccd3eea5fb85f8aac7921ecc5288
SHA1 445e4536ec7b5a8536f7ce7bed25e4063e73e9e8
SHA256 664c28f68195da2e46db979ef28345042c8b580eb3305c0b6241a1ab65d661a4
SHA512 1fad239838095d129c816721049f0dfa374265f37f7d6dd563df553f8049d7b5b3ed5df5d50888d2bfcdc3174e868e3eb43f44635b35340a3c50c2383231b6ab

C:\Windows\Temp\tmp.exe

MD5 7ee5da3587f7364a816be1ffb5528321
SHA1 3910e8f2b8b3c0cef79857513501f427d87b2827
SHA256 e17ed214d2e89a8f6b4228a121519b94cc4361c54c1741b8505e7736752e8752
SHA512 385d291714704dacc6c4face0c171fba3e98dedbd44407c954596cef4265a711828568a5292b1da155c93e026614b0cda13fd183a406489f38e4bfa29c631f41

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 f2c63e569ef696faf377c0f703759390
SHA1 cb815c600370d7ebe5bc306c2b48e4f618550262
SHA256 608389f5f3ffb9d6f04b6f4209f6f0899282f79b99389999bbc1d43e3066facc
SHA512 b8ee530b6a17f10020234ce04458232a2516267930f04bcb08224705f2c752ee6606cc19faaf900d931b20e20fe5aad86b36f011d1e8ec904cd28bd5066824b9