4ac8001e36cc417c72abf88f52a8f426e60d93f312a27fa64595aa562ab33c08

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
Size

220KB
MD5

030bc9cb1468ae55feabb813ac345be1
SHA1

5e9537056032599bd9332e805fb512f6b02cd675
SHA256

4ac8001e36cc417c72abf88f52a8f426e60d93f312a27fa64595aa562ab33c08
SHA512

e31166ea94617b7f84cf8ab181dddb408caf26e05998d199e61a66fbe2031017e311a489965d5f21bba96e6b42d1d4a377f7cc1d4fb72c20f9a5286636f5486c
SSDEEP

3072:ulqCTufi6SYrSiF1U2+901z3gO1FAbJDpct56kIqjK:OqG6SPkWhe7Oqt

Score

10^/10

adware bootkit evasion persistence stealer upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Dofake.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Dofake.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Dofake.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Dofake.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 1172 rundll32.exe

flow	pid	process
8	1172	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\try6703.dll	acprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2500 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Dofake.exe

pid process

2856 Dofake.exe

pid	process
2500	cmd.exe

pid	process
2856	Dofake.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exerundll32.exe030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exeregsvr32.exe

pid	process
1312	regsvr32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
2964	regsvr32.exe
2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\try6703.dll	upx
behavioral1/memory/1172-12-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral1/memory/1172-13-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral1/memory/1172-150-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral1/memory/1172-153-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral1/memory/1172-155-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral1/memory/1172-156-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral1/memory/1172-158-0x0000000010000000-0x0000000010023000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Dofake.exe

description	ioc	process
File opened (read-only)	\??\I:	Dofake.exe
File opened (read-only)	\??\J:	Dofake.exe
File opened (read-only)	\??\K:	Dofake.exe
File opened (read-only)	\??\L:	Dofake.exe
File opened (read-only)	\??\M:	Dofake.exe
File opened (read-only)	\??\E:	Dofake.exe
File opened (read-only)	\??\G:	Dofake.exe
File opened (read-only)	\??\H:	Dofake.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 7 IoCs

Processes:

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exerundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\try6703.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\try6703.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\puihile.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dofake.exe	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taob.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FloodCore.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\ = "BhoPlugin 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ = "IEyeOnIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ = "C:\\Windows\\SysWow64\\taob.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\puihile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1172 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exeDofake.exe

pid process

2368 030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
2856 Dofake.exe

pid	process
1172	rundll32.exe

pid	process
2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
2856	Dofake.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

description	pid	process	target process
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1312	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 1172	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 2368 wrote to memory of 2856	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 2368 wrote to memory of 2856	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 2368 wrote to memory of 2856	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 2368 wrote to memory of 2856	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2964	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 2368 wrote to memory of 2500	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe
PID 2368 wrote to memory of 2500	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe
PID 2368 wrote to memory of 2500	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe
PID 2368 wrote to memory of 2500	2368	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\System32\puihile.dll
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1312

C:\Windows\SysWOW64\rundll32.exe
rundll32 try6703.dll , InstallMyDll
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\SysWOW64\Dofake.exe
C:\Windows\System32\Dofake.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\System32\taob.dll
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c 375519961O57540.bat
2⤵
- Deletes itself
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat
Filesize
2KB

MD5
1711750c37a1752a81cec0c6c15fea4d

SHA1
6d157d946310d870698d5ba7c9a028a30984b195

SHA256
d2a9192b117b01e0d8552d1b002aa887a946f9f5a4de0e03389180b3ede82a9f

SHA512
f6a5982f2cd666fb8ca663241cf0d9f0aaae01496106ad0edcfd1ccb99f502db109cd3805f7653dcf4ffadaef265cbede1ea2b26c219d27faae470be1938826b

Download Submit
C:\Windows\SysWOW64\Web.ini
Filesize
2KB

MD5
9d2e75dfd1a854de293c5db496e73fbd

SHA1
7fd4f0cb0af9299a89a1d393ff02f58005428664

SHA256
f89c0c0afc1961cba594e60b664ea522de90e61459e8e89174a9f757ce64aaf7

SHA512
aed37024179b3904d3d34081146657f297386100dd7ce1c78a286b30fc8ce732f0e0017919f2b54c6275ec11ff354fd96324bc2c08297fafc90eae6c6d8c9188

Download Submit
C:\Windows\SysWOW64\puihile.dll
Filesize
52KB

MD5
197f927a78abf8169c80c7fce6ce8011

SHA1
b33ab406ce11290f0a639460b5e3a991d253e9d1

SHA256
6209037cf3a7e4586ff1c95a9c931c1b4030296ad7fed87b06c764cc0432e18f

SHA512
1ab184159b1f5c19f6ff795aef7ed240c7749386070732ec9429174beb9806acbe7fe44f72a25a0791809c85860d1c2e31dc540d03a1d14e4854316785aec694

Download Submit
C:\Windows\SysWOW64\try6703.dll
Filesize
27KB

MD5
6b45fea3286b74abf97306c9219e9a7b

SHA1
41158256979725cbe96f478253b235b1016e709d

SHA256
024024b22031867e5ec72f96a267ec391021794c9c24fa8b14d5b6756aca83a5

SHA512
3d0bb50b39c38f12118aed6c2b6699bae42b2a65ea5b8e918b9431494f7b698b20b919c40149d144e2952c433f382f8b706e8d035692b55ef5380cb1125b3377

Download Submit
\Windows\SysWOW64\Dofake.exe
Filesize
60KB

MD5
d31138ba5d6047492ee2c6efa6b66f2b

SHA1
148dc90c2d5965e579e7a8bf4b873168e58f68a8

SHA256
d8d31e06df797c6dbc454676597874fef8d829a9ac1037b93e568444d05f2d75

SHA512
ad83e0ee200da8e60678b8bba55e5921b22cbbe349b89e62481b6f549691e3070da3543b3a230a6f8488d16a884ae1a8ec482d27c882ea70cd205f2c455a3de2

Download Submit
\Windows\SysWOW64\FloodCore.dll
Filesize
24KB

MD5
b3c403d9f9c3b9d1cc3682ad840e301b

SHA1
1b3ad4baa8d8d1c70ed8ed91666ff51e454d5a16

SHA256
7eb060a5728b918895e6873343aa82c849e39f35a590768ea39fbff4de873104

SHA512
d7ad7d9f0cc3a93f02301bee62deacb0b77535027c9c49cc8b28f6022e389d69d84ac1272ff2b75fe7d13255f17620e8cb3a8e7361d98cb69a231ec427f57332

Download Submit
\Windows\SysWOW64\taob.dll
Filesize
28KB

MD5
3ce7360b74013b37de60d1c703744bab

SHA1
3b3e2b472940f112656de13ac28e27b5a57773c0

SHA256
6c6754568466c10112cb01964677c7cdf2325d02ae72eec6357d5b519bd8fc4f

SHA512
a17dc7ae770e6d5569952ae8bba68ab2f5d3657ac54f1bc8418a73efbbe76eb4b026d8c9082a74721eeee12e3feaa59e6cdc62e702fb4b9cf7704e1be420eced

Download Submit
memory/1172-10-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-13-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-8-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-12-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-9-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-150-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-153-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-155-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-156-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-158-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download