Malware Analysis Report

2025-01-03 09:23

Sample ID 240620-qrm6gazemb
Target 066ebb71605984d91572879f47b59ce2_JaffaCakes118
SHA256 b3a182fe9fb0f36ee3a091fb1ae793356a9f2ab0e5c2145cc95f77c34383fc12
Tags
bootkit discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b3a182fe9fb0f36ee3a091fb1ae793356a9f2ab0e5c2145cc95f77c34383fc12

Threat Level: Shows suspicious behavior

The file 066ebb71605984d91572879f47b59ce2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence upx

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 13:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 13:29

Reported

2024-06-20 13:32

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
N/A N/A C:\Windows\SysWOW64\razami.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\razami.exe" C:\Windows\SysWOW64\razami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\razami.exe" C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\razami.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qgugb.dat C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
File created C:\Windows\SysWOW64\razami.exe C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
File created C:\Windows\SysWOW64\cxaxrdn.exe C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
File created C:\Windows\SysWOW64\qgugb.dat C:\Windows\SysWOW64\razami.exe N/A
File opened for modification C:\Windows\SysWOW64\peyehsi.dll C:\Windows\SysWOW64\razami.exe N/A
File created C:\Windows\SysWOW64\razami.exe C:\Windows\SysWOW64\razami.exe N/A
File opened for modification C:\Windows\SysWOW64\cxaxrdn.exe C:\Windows\SysWOW64\razami.exe N/A
File opened for modification C:\Windows\SysWOW64\norop.dll C:\Windows\SysWOW64\razami.exe N/A
File created C:\Windows\SysWOW64\wmconfig.cpl C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
File created C:\Windows\SysWOW64\winup2date.dll C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
File created C:\Windows\SysWOW64\peyehsi.dll C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
File created C:\Windows\SysWOW64\norop.dll C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\unadbeh.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
File opened for modification C:\Windows\arnrh.dll C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\ProgId\ = "rfxfuoei.class" C:\Windows\SysWOW64\razami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq\ = "{273d3bca-9b4a-4afc-9481-b22c629fa263}" C:\Windows\SysWOW64\razami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\ = "rfxfuoei.class" C:\Windows\SysWOW64\razami.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\InProcServer32 C:\Windows\SysWOW64\razami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\razami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\ = "rfxfuoei.class" C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\ProgId C:\Windows\SysWOW64\razami.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq C:\Windows\SysWOW64\razami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\winup2date.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f} C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\ProgId C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\InProcServer32\ = "C:\\Windows\\SysWow64\\norop.dll" C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\ProgId\ = "rfxfuoei.class" C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\InProcServer32\ = "C:\\Windows\\SysWow64\\norop.dll" C:\Windows\SysWOW64\razami.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq\ = "{874e03a6-9c82-4e39-a9af-d2283ff7651f}" C:\Users\Admin\AppData\Local\Temp\f259401613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263} C:\Windows\SysWOW64\razami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2032 wrote to memory of 2020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2020 wrote to memory of 3004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 2020 wrote to memory of 3004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 2020 wrote to memory of 3004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 2020 wrote to memory of 3004 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 3004 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f259401613.exe
PID 3004 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f259401613.exe
PID 3004 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f259401613.exe
PID 3004 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f259401613.exe
PID 2608 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f259401613.exe C:\Windows\SysWOW64\razami.exe
PID 2608 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f259401613.exe C:\Windows\SysWOW64\razami.exe
PID 2608 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f259401613.exe C:\Windows\SysWOW64\razami.exe
PID 2608 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f259401613.exe C:\Windows\SysWOW64\razami.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe

"C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"

C:\Users\Admin\AppData\Local\Temp\f259401613.exe

"C:\Users\Admin\AppData\Local\Temp\f259401613.exe"

C:\Windows\SysWOW64\razami.exe

"C:\Windows\system32\razami.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\winup2date.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mmviewer.com udp

Files

\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe

MD5 e8f00b7b09842ede8600080ba8b29ccf
SHA1 0a97cd19370d65596bf5c628b6d247bc9362a224
SHA256 71db06578766b005bc5b297baa6a34382dfcc5009086c1bfdfb9911574151dbf
SHA512 24eece275d92289e2be5597f9ade5bbe68e5c3d926fb97236fd8c7710dbedb4214926b9143eb77e464349d04e91c1fcf62ddd066565a3ddb3fe3f9538411c929

\Users\Admin\AppData\Local\Temp\f259401613.exe

MD5 2bbc7cfcf052d0bd00821986864725ce
SHA1 6f55c6b0edc41eec83adf92fe92f787c29527744
SHA256 29ad1a9f9f2a37498622530517f50ebce1b65be578f7e4e1b36fa4ccce2c98ef
SHA512 9256fa02173880f240408f69b12416a837b1674c9092219dfa3689ea057b0fe97ad75f3c0e433b6b261ec1aef259b4a189318de480755d6f3ebb9d2056efb7c0

memory/2608-22-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3004-21-0x00000000021F0000-0x0000000002206000-memory.dmp

memory/3004-20-0x00000000021F0000-0x0000000002206000-memory.dmp

\Windows\SysWOW64\norop.dll

MD5 0c7876e9c3d3a841ebbdc06dfc8e1ba1
SHA1 45cf786a3a241f35d8412449dade36c2910e20d6
SHA256 c9f68b243ddcad4542f26b97c7a17095ebefc397a7ee7bc20483063f82340496
SHA512 11a8a56c44b6843d68cbab8b95e2b6acfbb4e47d5c2f3db4a21d7bafce9f4f2edcb41c0355f675f333622b4401beb528de42ce7445991f86f53b127f8bab6b89

memory/2608-42-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2608-40-0x0000000000280000-0x0000000000296000-memory.dmp

memory/2608-39-0x0000000010000000-0x0000000010009000-memory.dmp

memory/2624-44-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\cxaxrdn.exe

MD5 8bafaf18a0578642f864ed8cbf982346
SHA1 4fcb8312c5b06ef3b04f21d10f77d90a70afd006
SHA256 eab5c0bbd9c46da00f0824e554628f34552e01ceeac2febc4f4343d1c40809fe
SHA512 ea43e9ef5b1459b09b36662c5681285bf7366fdce23bd50df9567f94af768157a3be3b378e0a35de249d342b11cd0184a73458a783bb935a6672199b1d18e9a4

C:\Windows\SysWOW64\peyehsi.dll

MD5 2a9bc69d9030a614f4cce970d21ea89f
SHA1 92e44c26a75098cb7bd3cab1b0e2a34af6d0e4eb
SHA256 1f6aa1544d355f391a088747e1cf7acd5575e0c312a4e79a3602d591bcf552e0
SHA512 8c1dbffad8f1750f5dcd76a9035a8f6b6cc38269698b0bbb1290aa305dbb52106b726b0ac92efef82ffab40af074f85f5729dcea32afb014ac913ae5582fcfad

memory/2624-56-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\winup2date.dll

MD5 0d133977906f46726940c0a1ed338f3b
SHA1 b0c2dddb856d66c78b1f30e3c997d335420add2a
SHA256 47839caf62ef254f18a584cd915c1e83b4fa29a9f43400f3766d9d49e9445dab
SHA512 7d8fc2385ca330a47dc5b04f440f214b2d315db490aa9ca8e7dc4aa5182bd1ada5a8a9f052d44ee439806589262798ecf01616d572bfcca322a5b18d2e31ec73

memory/2448-59-0x0000000010000000-0x0000000010008000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 13:29

Reported

2024-06-20 13:32

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
N/A N/A C:\Windows\SysWOW64\ivvlkr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\ivvlkr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\ivvlkr.exe" C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\ivvlkr.exe" C:\Windows\SysWOW64\ivvlkr.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ivvlkr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sttbrpt.dll C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
File created C:\Windows\SysWOW64\wmconfig.cpl C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
File created C:\Windows\SysWOW64\daaqu.dll C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
File created C:\Windows\SysWOW64\ivvlkr.exe C:\Windows\SysWOW64\ivvlkr.exe N/A
File opened for modification C:\Windows\SysWOW64\daaqu.dll C:\Windows\SysWOW64\ivvlkr.exe N/A
File created C:\Windows\SysWOW64\winup2date.dll C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
File created C:\Windows\SysWOW64\wppyk.dat C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
File created C:\Windows\SysWOW64\wppyk.dat C:\Windows\SysWOW64\ivvlkr.exe N/A
File opened for modification C:\Windows\SysWOW64\sttbrpt.dll C:\Windows\SysWOW64\ivvlkr.exe N/A
File opened for modification C:\Windows\SysWOW64\dbbqmcb.exe C:\Windows\SysWOW64\ivvlkr.exe N/A
File created C:\Windows\SysWOW64\ivvlkr.exe C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
File created C:\Windows\SysWOW64\dbbqmcb.exe C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\unadbeh.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe N/A
File opened for modification C:\Windows\mjjvz.dll C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\winup2date.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\ivvlkr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\ = "oeejrreu.class" C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\ProgId\ = "oeejrreu.class" C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\ProgId C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\ = "oeejrreu.class" C:\Windows\SysWOW64\ivvlkr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\InProcServer32 C:\Windows\SysWOW64\ivvlkr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\InProcServer32\ = "C:\\Windows\\SysWow64\\daaqu.dll" C:\Windows\SysWOW64\ivvlkr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c} C:\Windows\SysWOW64\ivvlkr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft C:\Windows\SysWOW64\ivvlkr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft\ = "{39a8bf4b-af19-4c4f-92c4-9e07419f372c}" C:\Windows\SysWOW64\ivvlkr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330} C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\InProcServer32\ = "C:\\Windows\\SysWow64\\daaqu.dll" C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\ProgId C:\Windows\SysWOW64\ivvlkr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft\ = "{43916785-1d6b-4023-b5f1-7f423e80d330}" C:\Users\Admin\AppData\Local\Temp\f240609859.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\ProgId\ = "oeejrreu.class" C:\Windows\SysWOW64\ivvlkr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 3532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5080 wrote to memory of 3532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5080 wrote to memory of 3532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3532 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 3532 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 3532 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
PID 912 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f240609859.exe
PID 912 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f240609859.exe
PID 912 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Users\Admin\AppData\Local\Temp\f240609859.exe
PID 912 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 912 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 912 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3096 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f240609859.exe C:\Windows\SysWOW64\ivvlkr.exe
PID 3096 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f240609859.exe C:\Windows\SysWOW64\ivvlkr.exe
PID 3096 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f240609859.exe C:\Windows\SysWOW64\ivvlkr.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe

"C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"

C:\Users\Admin\AppData\Local\Temp\f240609859.exe

"C:\Users\Admin\AppData\Local\Temp\f240609859.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\winup2date.dll

C:\Windows\SysWOW64\ivvlkr.exe

"C:\Windows\system32\ivvlkr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.mmviewer.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe

MD5 e8f00b7b09842ede8600080ba8b29ccf
SHA1 0a97cd19370d65596bf5c628b6d247bc9362a224
SHA256 71db06578766b005bc5b297baa6a34382dfcc5009086c1bfdfb9911574151dbf
SHA512 24eece275d92289e2be5597f9ade5bbe68e5c3d926fb97236fd8c7710dbedb4214926b9143eb77e464349d04e91c1fcf62ddd066565a3ddb3fe3f9538411c929

C:\Users\Admin\AppData\Local\Temp\f240609859.exe

MD5 2bbc7cfcf052d0bd00821986864725ce
SHA1 6f55c6b0edc41eec83adf92fe92f787c29527744
SHA256 29ad1a9f9f2a37498622530517f50ebce1b65be578f7e4e1b36fa4ccce2c98ef
SHA512 9256fa02173880f240408f69b12416a837b1674c9092219dfa3689ea057b0fe97ad75f3c0e433b6b261ec1aef259b4a189318de480755d6f3ebb9d2056efb7c0

memory/3096-18-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\daaqu.dll

MD5 0c7876e9c3d3a841ebbdc06dfc8e1ba1
SHA1 45cf786a3a241f35d8412449dade36c2910e20d6
SHA256 c9f68b243ddcad4542f26b97c7a17095ebefc397a7ee7bc20483063f82340496
SHA512 11a8a56c44b6843d68cbab8b95e2b6acfbb4e47d5c2f3db4a21d7bafce9f4f2edcb41c0355f675f333622b4401beb528de42ce7445991f86f53b127f8bab6b89

memory/3096-30-0x0000000010000000-0x0000000010009000-memory.dmp

memory/5004-37-0x0000000000400000-0x0000000000416000-memory.dmp

memory/776-38-0x0000000010000000-0x0000000010008000-memory.dmp

memory/3096-36-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\winup2date.dll

MD5 0d133977906f46726940c0a1ed338f3b
SHA1 b0c2dddb856d66c78b1f30e3c997d335420add2a
SHA256 47839caf62ef254f18a584cd915c1e83b4fa29a9f43400f3766d9d49e9445dab
SHA512 7d8fc2385ca330a47dc5b04f440f214b2d315db490aa9ca8e7dc4aa5182bd1ada5a8a9f052d44ee439806589262798ecf01616d572bfcca322a5b18d2e31ec73

C:\Windows\SysWOW64\dbbqmcb.exe

MD5 8bafaf18a0578642f864ed8cbf982346
SHA1 4fcb8312c5b06ef3b04f21d10f77d90a70afd006
SHA256 eab5c0bbd9c46da00f0824e554628f34552e01ceeac2febc4f4343d1c40809fe
SHA512 ea43e9ef5b1459b09b36662c5681285bf7366fdce23bd50df9567f94af768157a3be3b378e0a35de249d342b11cd0184a73458a783bb935a6672199b1d18e9a4

C:\Windows\SysWOW64\sttbrpt.dll

MD5 2a9bc69d9030a614f4cce970d21ea89f
SHA1 92e44c26a75098cb7bd3cab1b0e2a34af6d0e4eb
SHA256 1f6aa1544d355f391a088747e1cf7acd5575e0c312a4e79a3602d591bcf552e0
SHA512 8c1dbffad8f1750f5dcd76a9035a8f6b6cc38269698b0bbb1290aa305dbb52106b726b0ac92efef82ffab40af074f85f5729dcea32afb014ac913ae5582fcfad

memory/5004-49-0x0000000000400000-0x0000000000416000-memory.dmp