af1bbb21e8744b9572c291304b98064e9842572d92bb67d4e4e3c9ffdf07781e

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
Size

417KB
MD5

38c7b3a1e607aed753b35b78a105b029
SHA1

c3a2d3d83fb4e29c03e6cc5c34a53ae34cc792d1
SHA256

af1bbb21e8744b9572c291304b98064e9842572d92bb67d4e4e3c9ffdf07781e
SHA512

78df751971b3b28c7180ee80024c727adbfd50a500043a95dc1723d7e4866f19722207af9d9bd663c2a4d3424dcb0799082fb3284c1e813ee0fd1e4ec86ce8d4
SSDEEP

12288:Dr1WiLwWEaCmqp43s39OHCkM4ch8eLZDPK6w:9WOt2mL3s3gbMoi1w

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b55d.exe

Executes dropped EXE 3 IoCs

pid	Process
2852	b55d.exe
2636	b55d.exe
2392	b55d.exe

Loads dropped DLL 49 IoCs

pid	Process
2984	regsvr32.exe
2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
2852	b55d.exe
2852	b55d.exe
2852	b55d.exe
2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
2636	b55d.exe
2636	b55d.exe
2636	b55d.exe
2392	b55d.exe
1484	rundll32.exe
1484	rundll32.exe
1484	rundll32.exe
1484	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe
2392	b55d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE2C6476-6830-4483-A376-6058781C7154}\ = "Microsoft User"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE2C6476-6830-4483-A376-6058781C7154}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	b55d.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\24de	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dlltmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b55d.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\46be.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-60-48-45-107	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\b3cd.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\0acu.bmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\b5b3.bmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\80au.bmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.flv	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\436b.flv	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\480.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\3cdd.flv	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\80a.bmp	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\d48.flv	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
File opened for modification	C:\Windows\480d.exe	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\TypeLib\ = "{D9C916B1-7134-40E1-91AC-6932C6960A6B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{FE2C6476-6830-4483-A376-6058781C7154}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\TypeLib\ = "{D9C916B1-7134-40E1-91AC-6932C6960A6B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E533193D-2170-41A4-86D7-E4822455F193}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{FE2C6476-6830-4483-A376-6058781C7154}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE2C6476-6830-4483-A376-6058781C7154}\TypeLib\ = "{D9C916B1-7134-40E1-91AC-6932C6960A6B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9C916B1-7134-40E1-91AC-6932C6960A6B}\1.0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2392	b55d.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2124	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2764	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2808	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2812	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2984	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2852	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2636	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	37
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2384 wrote to memory of 1048	2384	38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe	40
PID 2392 wrote to memory of 1484	2392	b55d.exe	41
PID 2392 wrote to memory of 1484	2392	b55d.exe	41
PID 2392 wrote to memory of 1484	2392	b55d.exe	41
PID 2392 wrote to memory of 1484	2392	b55d.exe	41
PID 2392 wrote to memory of 1484	2392	b55d.exe	41
PID 2392 wrote to memory of 1484	2392	b55d.exe	41
PID 2392 wrote to memory of 1484	2392	b55d.exe	41

C:\Users\Admin\AppData\Local\Temp\38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38c7b3a1e607aed753b35b78a105b029_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"
  2⤵
  PID:2124
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"
  2⤵
  PID:2808
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"
  2⤵
  PID:2812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2984
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2852
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2636
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always
  2⤵
  - Loads dropped DLL
  PID:1048

C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\b55d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\4.dll

Filesize
83KB

MD5
40b5629e4fcc3dba8e0363f132f8cd47

SHA1
6495d3ab0ffd901a876362258c1ae30a043ec05e

SHA256
0910b095d7ad49fcd161411e0f15ad89129ed75177be8c097d51a477c3c6e12a

SHA512
38cbf73f88e7153a0cd2f9e54331548d65b90404f1a43672e9099d982e07ec6e9c2280ca4b49257f903d496587f12a9c020a7987b645a427f0a9082a13907df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
93KB

MD5
46d6032ea50d9a571332da56c0af5348

SHA1
25dbf270aa07b9ff7d5b1cec72c813b401ecbc1f

SHA256
9c280248baa9512fbf4bc44e8aa1b7dc69306349fa93e552ecdc4964ef1a1691

SHA512
3994c9380673704c2dd30639582a3edbc05e0fa302e5493251d0503c2d13d2490f9b0d3c9c94702a26274744033ff8647026d669e13d48d20ae6360281887e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
215KB

MD5
94a1bda50441ef499e681b84ab7f6078

SHA1
4db1d26d8de273e5b2b635429c9b8ddbecc796a3

SHA256
51f588eec6e24f6c22b6e3d2f6c9f465ff72772bede9e312efc9055ad5daabf9

SHA512
891c200cfe604a35e2adc96230595a3248994f825ac008af8f40a4e1ca09a9f8e422936f3d3004f58ec1ed2a76e22463b015e29557e6002d793532cc6021f4ae

Download Submit
memory/1048-108-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1484-127-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1484-121-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1484-115-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1484-107-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/2384-96-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2384-1-0x0000000000240000-0x00000000002B2000-memory.dmp

Filesize
456KB

Download
memory/2384-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2384-2-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2384-61-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2384-67-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2392-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-130-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-181-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-179-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-177-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-97-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-176-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-174-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-173-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-112-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-113-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-116-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-170-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-118-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-119-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-122-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-166-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-124-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-125-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-128-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-162-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-158-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-131-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-134-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-136-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-154-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-144-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2392-146-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-150-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2636-86-0x0000000000230000-0x000000000024D000-memory.dmp

Filesize
116KB

Download
memory/2636-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2636-89-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2636-84-0x0000000000230000-0x000000000024D000-memory.dmp

Filesize
116KB

Download
memory/2636-85-0x0000000000230000-0x000000000024D000-memory.dmp

Filesize
116KB

Download
memory/2852-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2852-73-0x00000000001C0000-0x00000000001DD000-memory.dmp

Filesize
116KB

Download
memory/2852-75-0x00000000001C0000-0x00000000001DD000-memory.dmp

Filesize
116KB

Download
memory/2852-74-0x00000000001C0000-0x00000000001DD000-memory.dmp

Filesize
116KB

Download
memory/2852-76-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2984-52-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download