a4a83823b8e512afcb9b6a621d555cfe48afa6b65d3dfc2fa3e495eed6314b0f

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
Size

488KB
MD5

74e4508df91dcca124c3b0d6eb2fab17
SHA1

0e0af57d62b126c4cab4f396aa3f659374b95280
SHA256

a4a83823b8e512afcb9b6a621d555cfe48afa6b65d3dfc2fa3e495eed6314b0f
SHA512

a77dec8840dbe293091416e0e4c6f510801c32fa57e92fd52d66798d9e0be792a4d6e64fdd10cfb554c4ea6e403384f47195a8489b394d4743fd92728c7a8335
SSDEEP

12288:wNSIpoJ3vpAALhchj5m6dCdiIp1gcxZh2uUyqfY45FiDhyaKjK8:wIJ3BAlhj74diIHgYh2u3qt2DhA28

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b55d.exe

Executes dropped EXE 3 IoCs

pid	Process
2456	b55d.exe
2828	b55d.exe
2684	b55d.exe

Loads dropped DLL 49 IoCs

pid	Process
2936	regsvr32.exe
2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
2456	b55d.exe
2456	b55d.exe
2456	b55d.exe
2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
2828	b55d.exe
2828	b55d.exe
2828	b55d.exe
2684	b55d.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
3016	rundll32.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe
2684	b55d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	b55d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\353r.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b55d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\8044-7438	rundll32.exe
File created	C:\Windows\SysWOW64\0b7	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\46be.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\d48.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\0acu.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\480d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\436b.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\80a.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\480.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\80au.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\b5b3.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\b3cd.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\3cdd.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55d.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID\ = "BHO.MsnPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID\ = "BHO.MsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer\ = "BHO.MsnPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\AppID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2684	b55d.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2232	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	30
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 800	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2176	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2492	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2936	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2456	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	35
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2828	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	37
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2684 wrote to memory of 2360	2684	b55d.exe	41
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40
PID 2692 wrote to memory of 3016	2692	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:800
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2936
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3016

C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\b55d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
212KB

MD5
8cd04663bc633a16c83b3b2aa63c6892

SHA1
7e780775d41da819a9f5f8b9f6c7769f7d4b1c76

SHA256
e94c96856b474b8bc8a6c367846af234de769dc6b7477cc35052b467414b6f30

SHA512
0588e0ea45ace0319c6c56ae7c6523d5a07af18c639fe13796aa640fcf87a375ca11068f05ec53c8de288e8ea4423ae34d11c76a42e01cfebb3d5e1f433f998e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
400KB

MD5
612f8ce80c17eb2131dda6bfb7c624fa

SHA1
9241b37625412705c7e3538b27903a08826502fc

SHA256
229480e8e152bc0f7c7f72c938b0e730a5eda3894e5594a3a87fa746de930473

SHA512
ac29d24beaa64fd71e50692251e51e4ba9ecd3f00f83b135db2cfd6b86c8ebd4714e3b1901786871c5dbcab1a62ded0dd5eddfea796ccdd6bb01799fe8fcbbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
184KB

MD5
a70b08e85931932aa9d8f2c28ef29d57

SHA1
808cf75da23fd68d11e57652a7f880835686aa13

SHA256
ed15b4b56549ee6ec125424b17632774b568c7ecda2bd0ab03ffeb59c6ce17fc

SHA512
0d29ba7cbedbc390601ea86b54c4a408ea2cc1b8cbc27582ed3b6114be2f187c78618f68023d19d87d54be36877fab596c652804f7beb872cafe002967655fc9

Download Submit