Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-tk1d1a1dmg
Target 837d9aa98734a8157427db992ec652b1_JaffaCakes118
SHA256 bb2a92ec461dba24f99e11146ac279a1a7abc5fcdfa784ab6f063b18e89aadf5
Tags
bootkit discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bb2a92ec461dba24f99e11146ac279a1a7abc5fcdfa784ab6f063b18e89aadf5

Threat Level: Shows suspicious behavior

The file 837d9aa98734a8157427db992ec652b1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence upx

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 16:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 16:07

Reported

2024-10-31 16:11

Platform

win7-20240903-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\taobao.ico C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell\Internet Explorer\Command C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell\Internet Explorer\Command C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\ = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\TypeLib\ = "{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\DefaultIcon\ = "c:\\windows\\taobao.ico" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell\Internet Explorer C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\TypeLib C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell\Internet Explorer C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.05zw.com/taobao/taobao.html" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\TypeLib C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\ShellFolder C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\ = "ÌÔ±¦-ÌØ¼Û" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\InfoTip = "ÌÔ±¦-ÌØ¼Û" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08} C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\InfoTip = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\ShellFolder C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\TypeLib\ = "{94DECDFE-1333-4535-A754-E601CE30FB08}" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8} C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

"C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.jd9.net udp
US 8.8.8.8:53 config.ie.sogou.com udp
US 15.197.225.128:80 www.jd9.net tcp
US 8.8.8.8:53 ping.ie.sogou.com udp
CN 36.155.164.39:80 ping.ie.sogou.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

MD5 006bcf6d8e9bcda4ad8323f3622e245b
SHA1 45b88bd752ea8853a3aebf5779ae47666253251c
SHA256 8854b97a765d20e2f15cc2da23bd78584bc3f67ec05a7e3f16020690f25d3821
SHA512 4008fbce2719618acd2a4f852a601517935a018f56ff361c4c08a88fb1446f2e35652c8128ed86b313bd198966ffb8892c6ee7000132551d396dbcb40ba48ec0

\Users\Admin\AppData\Local\Temp\nstF1EE.tmp\inetc.dll

MD5 8d8fdad7e153d6b82913f6fdc407d12c
SHA1 aabbeed33cd5221e4cb22aab6e48310df94facfd
SHA256 e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b
SHA512 42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

memory/2776-26-0x0000000000240000-0x00000000002EB000-memory.dmp

memory/2776-27-0x0000000000240000-0x00000000002EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nstF1EE.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nstF1EE.tmp\md5dll.dll

MD5 a7d710e78711d5ab90e4792763241754
SHA1 f31cecd926c5d497aba163a17b75975ec34beb13
SHA256 9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512 f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

memory/2644-10-0x0000000000A40000-0x0000000000AEB000-memory.dmp

memory/2776-34-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-37-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-38-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-39-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-40-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-41-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-42-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-43-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-44-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-45-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-46-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-47-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2776-48-0x0000000000400000-0x00000000004AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 16:07

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\taobao.ico C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\TypeLib\ = "{94DECDFE-1333-4535-A754-E601CE30FB08}" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell\Internet Explorer\Command C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08} C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\TypeLib\ = "{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell\Internet Explorer C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\ShellFolder C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\ShellFolder C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell\Internet Explorer C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\TypeLib C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\InfoTip = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell\Internet Explorer\Command C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\ = "ÌÔ±¦-ÌØ¼Û" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\Shell C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\TypeLib C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94DECDFE-1333-4535-A754-E601CE30FB08}\ = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8} C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\InfoTip = "ÌÔ±¦-ÌØ¼Û" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\DefaultIcon\ = "c:\\windows\\taobao.ico" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B9DCD-E16C-4CCE-8D71-2745C0E8B2F8}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.05zw.com/taobao/taobao.html" C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\837d9aa98734a8157427db992ec652b1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

"C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.jd9.net udp
US 8.8.8.8:53 config.ie.sogou.com udp
US 3.33.251.168:80 www.jd9.net tcp
US 8.8.8.8:53 ping.ie.sogou.com udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 168.251.33.3.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
CN 36.155.183.168:80 ping.ie.sogou.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsa6EF7.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nsa6EF7.tmp\inetc.dll

MD5 8d8fdad7e153d6b82913f6fdc407d12c
SHA1 aabbeed33cd5221e4cb22aab6e48310df94facfd
SHA256 e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b
SHA512 42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

memory/1692-19-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsa6EF7.tmp\md5dll.dll

MD5 a7d710e78711d5ab90e4792763241754
SHA1 f31cecd926c5d497aba163a17b75975ec34beb13
SHA256 9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512 f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

MD5 006bcf6d8e9bcda4ad8323f3622e245b
SHA1 45b88bd752ea8853a3aebf5779ae47666253251c
SHA256 8854b97a765d20e2f15cc2da23bd78584bc3f67ec05a7e3f16020690f25d3821
SHA512 4008fbce2719618acd2a4f852a601517935a018f56ff361c4c08a88fb1446f2e35652c8128ed86b313bd198966ffb8892c6ee7000132551d396dbcb40ba48ec0

memory/1692-31-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1692-33-0x0000000000400000-0x00000000004AB000-memory.dmp