b5f1c075ae4132af19711b541143c58d3563b8fbb132141c8fc029a8baf46b79

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe
Size

856KB
MD5

6439891319cdfe03b284692ab0c14667
SHA1

537bfc471700dfc8a61badfdadab84e97b4a223d
SHA256

b5f1c075ae4132af19711b541143c58d3563b8fbb132141c8fc029a8baf46b79
SHA512

f3a75d37c6833aff49913667216327994bde88a621548177ec7c434ce765109d575b3ddecb6d07606a61c935881ed29e383bf48bb0aff49c099dde7d30dee5bf
SSDEEP

12288:M7/VlrM6lD7BhIb8Xnc0jSDsCG2rU5pIyvJJLK1HKziKo6ZX9mOu/3RyiWTOYQ2m:EHmGRpfLjmawOu/hQ02I0XILJ

Score

8^/10

adware bootkit persistence stealer upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B279-11d2-9CBD-0000F87A369E}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B279-11d2-9CBD-0000F87A369E}\ = "Ver279"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B279-11d2-9CBD-0000F87A369E}\stubpath = "C:\\WINDOWS\\Xedie\\svchost.exe"	svchost.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe

Executes dropped EXE 18 IoCs

pid	Process
3220	csrzew.exe
4640	csrzet.exe
4524	smcnef.exe
1584	34.exe
4908	smcnee.exe
4360	winders.exe
3224	smcnec.exe
3728	smcnee.exe
2712	winders.exe
4008	csrzez.exe
2560	34.exe
432	svchost.exe
752	cmdl32.exe
2440	cmdl32.exe
2800	36bd.exe
3724	36bd.exe
3712	36bd.exe
2716	mtv.exe

Loads dropped DLL 34 IoCs

pid	Process
3220	csrzew.exe
4028	regsvr32.exe
3712	36bd.exe
4272	rundll32.exe
1292	rundll32.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe
3712	36bd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234f1-74.dat	upx
behavioral2/memory/3224-114-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/36be.dll,Always"	csrzet.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	csrzet.exe
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\36ud.exe	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	csrzet.exe
File created	C:\Windows\SysWOW64\26-678288	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	csrzet.exe
File created	C:\Windows\SysWOW64\deleteinstaller.txt	smcnec.exe
File created	C:\Windows\SysWOW64\019	rundll32.exe
File created	C:\Windows\SysWOW64\mn.dll	smcnec.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	csrzet.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	csrzet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2128	2712	winders.exe	98

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\cmdl32.exe	34.exe
File created	C:\Program Files (x86)\Messenger\34.exe	csrzew.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\ms.job	csrzet.exe
File opened for modification	C:\Windows\b5b3.bmp	csrzet.exe
File created	C:\WINDOWS\Xedie\svchost.exe	smcnee.exe
File opened for modification	C:\Windows\cd4u.bmp	csrzet.exe
File opened for modification	C:\Windows\0acu.bmp	csrzet.exe
File opened for modification	C:\Windows\cd4d.flv	csrzet.exe
File created	\??\c:\WINDOWS\279.txt	smcnee.exe
File opened for modification	C:\Windows\480.exe	csrzet.exe
File opened for modification	C:\Windows\d48.flv	csrzet.exe
File opened for modification	C:\Windows\80a.bmp	csrzet.exe
File opened for modification	C:\Windows\d48d.exe	csrzet.exe
File opened for modification	C:\Windows\3cdd.flv	csrzet.exe
File created	C:\Windows\winders.exe	smcnef.exe
File opened for modification	C:\Windows\b3cd.exe	csrzet.exe
File opened for modification	C:\WINDOWS\Xedie\svchost.exe	smcnee.exe
File opened for modification	C:\Windows\winders.exe	smcnef.exe
File opened for modification	C:\Windows\436b.flv	csrzet.exe
File opened for modification	C:\Windows\cd4d.exe	csrzet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	2128	WerFault.exe	98

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023485-5.dat	nsis_installer_2

Modifies registry class 49 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0150E15B-3020-4e25-94EC-41E5818C5D52}\fid = "2462"	csrzew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0150E15B-3020-4e25-94EC-41E5818C5D52}	csrzew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4908	smcnee.exe
4908	smcnee.exe
4908	smcnee.exe
4908	smcnee.exe
3728	smcnee.exe
3728	smcnee.exe
3728	smcnee.exe
3728	smcnee.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
3712	36bd.exe
3712	36bd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4524	smcnef.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3224	smcnec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 3220	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	84
PID 852 wrote to memory of 3220	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	84
PID 852 wrote to memory of 3220	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	84
PID 852 wrote to memory of 4640	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	85
PID 852 wrote to memory of 4640	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	85
PID 852 wrote to memory of 4640	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	85
PID 852 wrote to memory of 4524	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	86
PID 852 wrote to memory of 4524	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	86
PID 852 wrote to memory of 4524	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	86
PID 3220 wrote to memory of 1584	3220	csrzew.exe	87
PID 3220 wrote to memory of 1584	3220	csrzew.exe	87
PID 3220 wrote to memory of 1584	3220	csrzew.exe	87
PID 852 wrote to memory of 4908	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	89
PID 852 wrote to memory of 4908	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	89
PID 852 wrote to memory of 4908	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	89
PID 4524 wrote to memory of 4360	4524	smcnef.exe	88
PID 4524 wrote to memory of 4360	4524	smcnef.exe	88
PID 4524 wrote to memory of 4360	4524	smcnef.exe	88
PID 4524 wrote to memory of 4528	4524	smcnef.exe	90
PID 4524 wrote to memory of 4528	4524	smcnef.exe	90
PID 4524 wrote to memory of 4528	4524	smcnef.exe	90
PID 852 wrote to memory of 3224	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	91
PID 852 wrote to memory of 3224	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	91
PID 852 wrote to memory of 3224	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	91
PID 4908 wrote to memory of 3728	4908	smcnee.exe	92
PID 4908 wrote to memory of 3728	4908	smcnee.exe	92
PID 4908 wrote to memory of 3728	4908	smcnee.exe	92
PID 3224 wrote to memory of 3516	3224	smcnec.exe	56
PID 852 wrote to memory of 4008	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	93
PID 852 wrote to memory of 4008	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	93
PID 852 wrote to memory of 4008	852	6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe	93
PID 4640 wrote to memory of 2804	4640	csrzet.exe	94
PID 4640 wrote to memory of 2804	4640	csrzet.exe	94
PID 4640 wrote to memory of 2804	4640	csrzet.exe	94
PID 1584 wrote to memory of 2560	1584	34.exe	95
PID 1584 wrote to memory of 2560	1584	34.exe	95
PID 1584 wrote to memory of 2560	1584	34.exe	95
PID 3728 wrote to memory of 432	3728	smcnee.exe	97
PID 3728 wrote to memory of 432	3728	smcnee.exe	97
PID 3728 wrote to memory of 432	3728	smcnee.exe	97
PID 2712 wrote to memory of 2128	2712	winders.exe	98
PID 2712 wrote to memory of 2128	2712	winders.exe	98
PID 2712 wrote to memory of 2128	2712	winders.exe	98
PID 2712 wrote to memory of 2128	2712	winders.exe	98
PID 2712 wrote to memory of 2128	2712	winders.exe	98
PID 2560 wrote to memory of 752	2560	34.exe	99
PID 2560 wrote to memory of 752	2560	34.exe	99
PID 2560 wrote to memory of 752	2560	34.exe	99
PID 4640 wrote to memory of 1700	4640	csrzet.exe	101
PID 4640 wrote to memory of 1700	4640	csrzet.exe	101
PID 4640 wrote to memory of 1700	4640	csrzet.exe	101
PID 752 wrote to memory of 2440	752	cmdl32.exe	103
PID 752 wrote to memory of 2440	752	cmdl32.exe	103
PID 752 wrote to memory of 2440	752	cmdl32.exe	103
PID 4640 wrote to memory of 2484	4640	csrzet.exe	104
PID 4640 wrote to memory of 2484	4640	csrzet.exe	104
PID 4640 wrote to memory of 2484	4640	csrzet.exe	104
PID 4640 wrote to memory of 4016	4640	csrzet.exe	106
PID 4640 wrote to memory of 4016	4640	csrzet.exe	106
PID 4640 wrote to memory of 4016	4640	csrzet.exe	106
PID 4640 wrote to memory of 4028	4640	csrzet.exe	108
PID 4640 wrote to memory of 4028	4640	csrzet.exe	108
PID 4640 wrote to memory of 4028	4640	csrzet.exe	108
PID 4640 wrote to memory of 2800	4640	csrzet.exe	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6439891319cdfe03b284692ab0c14667_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\csrzew.exe
    "C:\Users\Admin\AppData\Local\Temp\csrzew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Program Files (x86)\Messenger\34.exe
      "C:\Program Files (x86)\Messenger\34.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Program Files (x86)\Messenger\34.exe
        
        "C:\Program Files (x86)\Messenger\34.exe" 2748
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Program Files (x86)\Messenger\cmdl32.exe
        
        "C:\Program Files (x86)\Messenger\cmdl32.exe" {E52F166E-FEF2-4aac-B9D3-C95C5F86B6A9} 4424 "C:\Program Files (x86)\Messenger\34.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Program Files (x86)\Messenger\cmdl32.exe
        
        "C:\Program Files (x86)\Messenger\cmdl32.exe" {E52F166E-FEF2-4aac-B9D3-C95C5F86B6A9} 4424 2140 "C:\Program Files (x86)\Messenger\34.exe"
        7⤵
        Executes dropped EXE
        
        PID:2440
- - C:\Users\Admin\AppData\Local\Temp\csrzet.exe
    "C:\Users\Admin\AppData\Local\Temp\csrzet.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:4028
  - - C:\Windows\SysWOW64\36bd.exe
      C:\Windows\system32/36bd.exe -i
      4⤵
      Executes dropped EXE
      PID:2800
  - - C:\Windows\SysWOW64\36bd.exe
      C:\Windows\system32/36bd.exe -s
      4⤵
      Executes dropped EXE
      PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
      C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2716
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
      4⤵
      Loads dropped DLL
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\smcnef.exe
    "C:\Users\Admin\AppData\Local\Temp\smcnef.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\winders.exe
      "C:\Windows\winders.exe"
      4⤵
      Executes dropped EXE
      PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\smcnef.exe > nul
      4⤵
      PID:4528
- - C:\Users\Admin\AppData\Local\Temp\smcnee.exe
    "C:\Users\Admin\AppData\Local\Temp\smcnee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\smcnee.exe
      C:\Users\Admin\AppData\Local\Temp\smcnee.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\WINDOWS\Xedie\svchost.exe
        
        C:\WINDOWS\Xedie\svchost.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:432
- - C:\Users\Admin\AppData\Local\Temp\smcnec.exe
    "C:\Users\Admin\AppData\Local\Temp\smcnec.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3224
- - C:\Users\Admin\AppData\Local\Temp\csrzez.exe
    "C:\Users\Admin\AppData\Local\Temp\csrzez.exe"
    3⤵
    - Executes dropped EXE
    PID:4008

C:\Windows\winders.exe
C:\Windows\winders.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 12
    3⤵
    - Program crash
    PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 2128
1⤵
PID:1252

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:3712
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Messenger\34.exe

Filesize
136KB

MD5
eb3bddc0e8c7f1c51c1df429248ede3b

SHA1
64f25a198d819938fe338b2848476516bff10b05

SHA256
775f61635a7a71bfd8c19b854b07059f168cb2aa703c45ae4d38debf85a806aa

SHA512
25fc5379564b3d850fe20b08042d0625326cccfa2aaf3b54622b3d35ae0a5f0b0f47f80a9f71d2753101377bdb3d2081711372ae4b135ad847b44363804e0d3d

Download Submit
C:\Program Files (x86)\Messenger\cmdl32.exe

Filesize
136KB

MD5
aab37d510aa55095b807d4fe2437d75d

SHA1
3e8558a730b9d1cb95e00affd5842f7fe8186f0a

SHA256
58e6a1ca8db6369b96b8042c6833a7b5c813a3b67e83c36963b1a8619c33caab

SHA512
952dade92b09d7a8b2200e46a2d9bffd5f246066a9805bc480b39d00bd2f44865e48002675685cb8d191bf90b6355cedf6321bc15550d4e80e6b766b580475de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck4\tmp.exe

Filesize
112KB

MD5
d19979326b09fa297ea3ce9ce838ce67

SHA1
be1683b0776474a50446311740979be583247d4f

SHA256
2b58489f6bf9dfd1fb65098141f05d614547a9d8ad5a01ad8f3b69f9aedae2e0

SHA512
e0d963a17220f07eb333f04ba8c068f21984691966cabbdf37d4025f08de6872029aa4320e51f0deb8f10aab8ee4bdd9897383e4b499d2e61421ac0d51a2effe

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrzet.exe

Filesize
496KB

MD5
2fc1f5bdc63406ccf63f4496bb8d6fc4

SHA1
887e626214aea31cb415fbb7642fa934b51cbb4f

SHA256
585b15d7d77e4efc6d011616dd2fb9201ce4449d4c535e3edbc9dd45ced1fd37

SHA512
5d99029851e8b6818ec61c86d9d122f241139a2a65359a144a9926c7f0f1fe57b685faad630a2cc07a0972bf7de74f5a6290469f4f305a47dcdc762cfa68b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrzew.exe

Filesize
107KB

MD5
2953bd266cf44051e17cc600699dd783

SHA1
5e14209f8bcc62d94a46f08350405f7d6652adfe

SHA256
8782f9d80db44ee2ca9693f42a7c0fdb12458e6b914b372abdd9aa02b836b750

SHA512
977f8f995152a52c3d5fe15014956593d442b5a5bf62d3f4364537f6f713985a2c9f1b9754f098f0b9b76cf0b5a7f771368431bb7c080865a39397c0e0d14577

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrzez.exe

Filesize
142KB

MD5
7a9456ca6cd092c1b98d640b596a1cdc

SHA1
4236c48dae4af7a6c6eb9fdb027ae8884382b229

SHA256
58a3b5a44604c7aaadb3200bd8546b9f67c3a2bac288711384eb176bd9ccf7a9

SHA512
2cb94f07cc03d5244e70e5598c94439e3ae22c721762aa9ef4bb9bb36736fea5f7d4dd5fdc5bd04b932872fb5af941b4c8d51dd2d6f442002df814cbed582d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
192KB

MD5
7f8b5fd1f2d8105afe68f7d2c4bd252f

SHA1
290b1f7a216a2c9d58cfea7713fc46dfeaf74de7

SHA256
1c63bc853eda6f65a0b190e9eccebe8ea6b67623388cf6e46fe7bd1a2e550778

SHA512
9b85b8e2bdbaad22e94ae030e333b93b0e1fb806c9b3d5e2c66dddb48c5dc0afe70faf9beaf6c3b4ed296d16411ec3d9a3099ca40d0aec21760aa3e89178f1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
80KB

MD5
6e79f3c84472207598c603b382a0be15

SHA1
fed34f47f0a8477fb7f477c2c89c55c0967919e9

SHA256
a2855851d5a99e1453b932724a2bcbe29396c1453c3a9f19659c09480ee34fe5

SHA512
b2e0c254bf605777776cf9048e77d3ca70efc171a8e774521571f759ef21902adcdc5b2bab8142e19b449d06ccac42e2637506897121e1fe16fe23e9ddf71daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
463KB

MD5
6814f085a4a4140fff52802078d82336

SHA1
6d87870ef8560156e6b7e2db17f6240cf0dd8f66

SHA256
e4e5ec407b2a890e44fa8c73f459fe91887f4967eb86422482845cfe36138d6a

SHA512
f5ef37778fe7e07779c8220913c9ace3d2f86e55ef32e2ac5a24ac746cde36cfe3fc12e96343776ed1e1de45c8a680035aac8f51008ae53e86ac385bc2bd353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
168KB

MD5
36641fe45e938057fc48f98bf709103e

SHA1
789e7dacc8c8e0b35b666054db315a7b77ca94b7

SHA256
9bb7e5a90b7eeecc3a6d0b3abacd7a25a380c723f582dada840d3503be9a3e71

SHA512
d441d36be400bb6d7e991f29a30c9d97e3b63e8672af7358cb5379602746a9f6ab1e6120594d664eb182dcac36f38d39edd8d54c551db629015960d5f1ed1856

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AEA.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\smcnec.exe

Filesize
63KB

MD5
afd13c1ede9e22a35c1da893c6c4f755

SHA1
e28aa9428f499fc9d58ff16f47a0a4f59e419970

SHA256
663b449968e4e39e0241112c58dabbf71ce9de6eef15c5c6a85db69d978983aa

SHA512
827aff5a0acf218167fa4eca4f56f9b9a93188e17e6db92fa1d1a7fc188a61a48edf740b4de1e781eff42d08e114fb50faa5882bf7faa7cfc364e4f149f642f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\smcnee.exe

Filesize
14KB

MD5
d7d709b5697768e701401c1baa1adc94

SHA1
4a72d73327b299f4d564bd37a985a16a48bc4460

SHA256
7e1fcf9331760dc228da8da222f45473ec76d7bb1c5b7c8d42f554a3b5457b7d

SHA512
df74cb61670518dc28e3c8619a6ff372ad9ec4f388d6e04a52ddf5b6686d38658de8899c8237e7ea3f762ba36348a4581c5b8c6bda696ea5fb567424a8066e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\smcnef.exe

Filesize
31KB

MD5
10003e2d82f656385bbca4144e0577da

SHA1
e095ab6d525e3f710a566dc983a4b51dd882c8db

SHA256
18ee1cc1757593cd4f29be4d093c8c8faa5eb47869c86faf057a1d4c5b992f63

SHA512
b492c7fb60ad8a23d3604045b84b946db25e1ae18a2c3907242042b7737ce0189fb9c8ab5d568759bb037557c230115e2834acc37b7417cdadd54d4de60b19fc

Download Submit
C:\Windows\Xedie\svchost.exe

Filesize
15KB

MD5
9d61b57ef7f4956271086bcf7b0a2b46

SHA1
142fe55c3a09f1f44b2eacd6cec75acd9c0a530d

SHA256
7638fa66bf8d135a55de26ff6d4c481702b2b2c0cc8fa7d500343ba79599bf62

SHA512
f08347217ad1b60f6a6c93e3ba29e35c1ed41c3ad5cdd4d97c43fd11a7188230ae226c62f2e2c4800e6b16340a98f262146dcd7d03dfc1fabb14010be6debab7

Download Submit
\??\c:\WINDOWS\279.txt

Filesize
44B

MD5
bc961cb74e3273ff9cf6b66fac0c5f88

SHA1
80a75af9a7a3ebc877fd5b0b96e9a558acffde96

SHA256
05acf8b9634950a071c7832f1e00c7cb8511f4c818ce9cd5fd4d6ceda7f406ca

SHA512
1ad219c2d198b64eb343c6a605e74c8620b712774fd5d9d99aeeb5ac8aed3811082736f6ce9ca2822cef6679b8cd2296870b3da5594b6f0bcb97a8be10fdab9c

Download Submit
memory/852-0-0x0000000000400000-0x00000000004D7942-memory.dmp

Filesize
862KB

Download
memory/852-122-0x0000000000400000-0x00000000004D7942-memory.dmp

Filesize
862KB

Download
memory/2128-130-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3224-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4008-195-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download