4ac8001e36cc417c72abf88f52a8f426e60d93f312a27fa64595aa562ab33c08

General

Target

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
Size

220KB
MD5

030bc9cb1468ae55feabb813ac345be1
SHA1

5e9537056032599bd9332e805fb512f6b02cd675
SHA256

4ac8001e36cc417c72abf88f52a8f426e60d93f312a27fa64595aa562ab33c08
SHA512

e31166ea94617b7f84cf8ab181dddb408caf26e05998d199e61a66fbe2031017e311a489965d5f21bba96e6b42d1d4a377f7cc1d4fb72c20f9a5286636f5486c
SSDEEP

3072:ulqCTufi6SYrSiF1U2+901z3gO1FAbJDpct56kIqjK:OqG6SPkWhe7Oqt

Score

10^/10

adware bootkit evasion persistence stealer upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Dofake.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Dofake.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Dofake.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Dofake.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\try6703.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

Dofake.exe

pid process

680 Dofake.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exeregsvr32.exe030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

pid process

712 regsvr32.exe
3828 rundll32.exe
1724 regsvr32.exe
3968 030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

pid	process
680	Dofake.exe

pid	process
712	regsvr32.exe
3828	rundll32.exe
1724	regsvr32.exe
3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\try6703.dll	upx
behavioral2/memory/3828-6-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-7-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-135-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-137-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-138-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-139-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-140-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-141-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-142-0x0000000010000000-0x0000000010023000-memory.dmp	upx
behavioral2/memory/3828-143-0x0000000010000000-0x0000000010023000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Dofake.exe

description	ioc	process
File opened (read-only)	\??\I:	Dofake.exe
File opened (read-only)	\??\J:	Dofake.exe
File opened (read-only)	\??\K:	Dofake.exe
File opened (read-only)	\??\L:	Dofake.exe
File opened (read-only)	\??\M:	Dofake.exe
File opened (read-only)	\??\E:	Dofake.exe
File opened (read-only)	\??\G:	Dofake.exe
File opened (read-only)	\??\H:	Dofake.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 7 IoCs

Processes:

rundll32.exe030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe
File created	C:\Windows\SysWOW64\try6703.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\try6703.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\puihile.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dofake.exe	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taob.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FloodCore.dll	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\ = "EyeOnIE Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\taob.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\puihile.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\puihile.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ = "C:\\Windows\\SysWow64\\taob.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\ = "BhoPlugin 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ = "IEyeOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3828 rundll32.exe
3828 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exeDofake.exe

pid process

3968 030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
680 Dofake.exe

pid	process
3828	rundll32.exe
3828	rundll32.exe

pid	process
3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
680	Dofake.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

description	pid	process	target process
PID 3968 wrote to memory of 712	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 3968 wrote to memory of 712	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 3968 wrote to memory of 712	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 3968 wrote to memory of 3828	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 3968 wrote to memory of 3828	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 3968 wrote to memory of 3828	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	rundll32.exe
PID 3968 wrote to memory of 680	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 3968 wrote to memory of 680	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 3968 wrote to memory of 680	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	Dofake.exe
PID 3968 wrote to memory of 1724	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 3968 wrote to memory of 1724	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 3968 wrote to memory of 1724	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	regsvr32.exe
PID 3968 wrote to memory of 1128	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe
PID 3968 wrote to memory of 1128	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe
PID 3968 wrote to memory of 1128	3968	030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\System32\puihile.dll
2⤵
- Loads dropped DLL
- Modifies registry class
PID:712

C:\Windows\SysWOW64\rundll32.exe
rundll32 try6703.dll , InstallMyDll
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Windows\SysWOW64\Dofake.exe
C:\Windows\System32\Dofake.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:680

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\System32\taob.dll
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 375519961O57540.bat
2⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Modify Registry

3

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat
Filesize
2KB

MD5
1711750c37a1752a81cec0c6c15fea4d

SHA1
6d157d946310d870698d5ba7c9a028a30984b195

SHA256
d2a9192b117b01e0d8552d1b002aa887a946f9f5a4de0e03389180b3ede82a9f

SHA512
f6a5982f2cd666fb8ca663241cf0d9f0aaae01496106ad0edcfd1ccb99f502db109cd3805f7653dcf4ffadaef265cbede1ea2b26c219d27faae470be1938826b

Download Submit
C:\Windows\SysWOW64\Dofake.exe
Filesize
60KB

MD5
d31138ba5d6047492ee2c6efa6b66f2b

SHA1
148dc90c2d5965e579e7a8bf4b873168e58f68a8

SHA256
d8d31e06df797c6dbc454676597874fef8d829a9ac1037b93e568444d05f2d75

SHA512
ad83e0ee200da8e60678b8bba55e5921b22cbbe349b89e62481b6f549691e3070da3543b3a230a6f8488d16a884ae1a8ec482d27c882ea70cd205f2c455a3de2

Download Submit
C:\Windows\SysWOW64\FloodCore.dll
Filesize
24KB

MD5
b3c403d9f9c3b9d1cc3682ad840e301b

SHA1
1b3ad4baa8d8d1c70ed8ed91666ff51e454d5a16

SHA256
7eb060a5728b918895e6873343aa82c849e39f35a590768ea39fbff4de873104

SHA512
d7ad7d9f0cc3a93f02301bee62deacb0b77535027c9c49cc8b28f6022e389d69d84ac1272ff2b75fe7d13255f17620e8cb3a8e7361d98cb69a231ec427f57332

Download Submit
C:\Windows\SysWOW64\Web.ini
Filesize
2KB

MD5
9d2e75dfd1a854de293c5db496e73fbd

SHA1
7fd4f0cb0af9299a89a1d393ff02f58005428664

SHA256
f89c0c0afc1961cba594e60b664ea522de90e61459e8e89174a9f757ce64aaf7

SHA512
aed37024179b3904d3d34081146657f297386100dd7ce1c78a286b30fc8ce732f0e0017919f2b54c6275ec11ff354fd96324bc2c08297fafc90eae6c6d8c9188

Download Submit
C:\Windows\SysWOW64\puihile.dll
Filesize
52KB

MD5
197f927a78abf8169c80c7fce6ce8011

SHA1
b33ab406ce11290f0a639460b5e3a991d253e9d1

SHA256
6209037cf3a7e4586ff1c95a9c931c1b4030296ad7fed87b06c764cc0432e18f

SHA512
1ab184159b1f5c19f6ff795aef7ed240c7749386070732ec9429174beb9806acbe7fe44f72a25a0791809c85860d1c2e31dc540d03a1d14e4854316785aec694

Download Submit
C:\Windows\SysWOW64\taob.dll
Filesize
28KB

MD5
3ce7360b74013b37de60d1c703744bab

SHA1
3b3e2b472940f112656de13ac28e27b5a57773c0

SHA256
6c6754568466c10112cb01964677c7cdf2325d02ae72eec6357d5b519bd8fc4f

SHA512
a17dc7ae770e6d5569952ae8bba68ab2f5d3657ac54f1bc8418a73efbbe76eb4b026d8c9082a74721eeee12e3feaa59e6cdc62e702fb4b9cf7704e1be420eced

Download Submit
C:\Windows\SysWOW64\try6703.dll
Filesize
27KB

MD5
6b45fea3286b74abf97306c9219e9a7b

SHA1
41158256979725cbe96f478253b235b1016e709d

SHA256
024024b22031867e5ec72f96a267ec391021794c9c24fa8b14d5b6756aca83a5

SHA512
3d0bb50b39c38f12118aed6c2b6699bae42b2a65ea5b8e918b9431494f7b698b20b919c40149d144e2952c433f382f8b706e8d035692b55ef5380cb1125b3377

Download Submit
memory/3828-137-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-6-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-135-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-7-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-138-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-139-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-140-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-141-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-142-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3828-143-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads