5b121c485ac955445c9f9550f1f700c684016b0443beac607f76aab3d6826e34

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
Size

520KB
MD5

8b78b909dcfe0d6e263e5e16481672f6
SHA1

196bf89833b7e99e8479bcf8b48ac503ebc6ac4e
SHA256

5b121c485ac955445c9f9550f1f700c684016b0443beac607f76aab3d6826e34
SHA512

23b5856fd7786fad1aeafff88c7b1ded7a8b046b43590f6af4cff7eab94e2b4ead26515fbfc43cab82a51a0de0e5be558f31c88a3c7a3cea76bee386ad34a5fa
SSDEEP

12288:+lI39/HDTRV+XMcg5Hzqx3Kyw3XgUGk4nc/GlfCtzkcuWN77ut:+lI3NHDTeXMcMWxRwHgNMKfCt/Nm

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 4 IoCs

pid	Process
3044	q.exe
2728	aaad.exe
2856	aaad.exe
4704	aaad.exe

Loads dropped DLL 33 IoCs

pid	Process
3428	regsvr32.exe
4704	aaad.exe
5016	rundll32.exe
3680	rundll32.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe
4704	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ = "Generic BHO"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\33u6.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-119-98-125-105	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	q.exe
File created	C:\Windows\SysWOW64\111	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\64a.bmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\64au.bmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\864d.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\0d06.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.flv	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO.DLL\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\TypeLib\ = "{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\ = "{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{53738F3D-33DE-4bf3-8F3F-0FDA9BBE7121}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{53738F3D-33DE-4bf3-8F3F-0FDA9BBE7121}\ = "BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\ = "{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4704	aaad.exe
4704	aaad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3044	q.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2548	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	84
PID 4848 wrote to memory of 2548	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	84
PID 4848 wrote to memory of 2548	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	84
PID 4848 wrote to memory of 2104	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	85
PID 4848 wrote to memory of 2104	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	85
PID 4848 wrote to memory of 2104	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	85
PID 4848 wrote to memory of 1212	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	86
PID 4848 wrote to memory of 1212	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	86
PID 4848 wrote to memory of 1212	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	86
PID 4848 wrote to memory of 4508	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	87
PID 4848 wrote to memory of 4508	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	87
PID 4848 wrote to memory of 4508	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	87
PID 4848 wrote to memory of 3044	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	88
PID 4848 wrote to memory of 3044	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	88
PID 4848 wrote to memory of 3044	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	88
PID 4848 wrote to memory of 3428	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	90
PID 4848 wrote to memory of 3428	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	90
PID 4848 wrote to memory of 3428	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	90
PID 4848 wrote to memory of 2728	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	91
PID 4848 wrote to memory of 2728	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	91
PID 4848 wrote to memory of 2728	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	91
PID 4848 wrote to memory of 2856	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	93
PID 4848 wrote to memory of 2856	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	93
PID 4848 wrote to memory of 2856	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	93
PID 4848 wrote to memory of 5016	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	100
PID 4848 wrote to memory of 5016	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	100
PID 4848 wrote to memory of 5016	4848	8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe	100
PID 4704 wrote to memory of 3680	4704	aaad.exe	101
PID 4704 wrote to memory of 3680	4704	aaad.exe	101
PID 4704 wrote to memory of 3680	4704	aaad.exe	101

C:\Users\Admin\AppData\Local\Temp\8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b78b909dcfe0d6e263e5e16481672f6_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3428
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -s
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5016

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
380KB

MD5
b983302b8b45b453a5b3104bfdc1a973

SHA1
dc006cc01841931cfb58f297fcb80e567b1a7574

SHA256
6527e9592edc1c9efad835630da58412c840475bdd235238470fb66073f565de

SHA512
e7d321c0816ed3da62bf163e1957d896b4463dd943c354cdaad94bd9c94ddf86f1c8783d0c0418bbb70b0aa911d16c9782027c73f1f6aabc220b0680a69a9c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe

Filesize
92KB

MD5
96304ef9a2c3c1e384be4b58771e3a43

SHA1
323ae38af1ee65168abd25e17b177d1a3ecb5880

SHA256
68c2a4524b2171a623093695fe0cb2b51f122d9c46204ef4d724b59e973186ec

SHA512
023bac06f494625aecd015c2d3fe33f981c410b098c8aed988e321786aa4b0a5e22269e73dfa55fe8ebcd5e13fac566f89133bbc29a68e7a268190a25b319aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
108KB

MD5
923a5fc659a884ed9b30c327732f0caf

SHA1
1dcc3f0e654ea2098cbe9f023bea150711caac6f

SHA256
38c74477e1098bb34c0a3417fa34c021b0b99ad175765d65b8c417a45eaa804f

SHA512
60f7b99642a32b5fc7871333e1292f4d7d2dc14269ad2ecae4943d8ee7c4db77798b23b22356241c8640a88ccc80ccd2c284280b7147be92e4df83c99127972a

Download Submit
C:\Windows\SysWOW64\8ado.dll

Filesize
136KB

MD5
64db1299c26aa1479e40be31034b7b7b

SHA1
d917bb0e47574721e3457edead34e5ca926bf31c

SHA256
64a330806590c6505c1d6932f85777adf5138d6b9ae7babe7cdd42f05caa03f4

SHA512
1219fb3a3a98af6ccbce05d2908df8fc9b8575f29a5c187b5471563de9404232d1dcfcaaf9c3cde7a14255caea4de86731857570bc130604a082ae85b950922e

Download Submit
C:\Windows\Temp\tmp.exe

Filesize
20KB

MD5
c060f4d902b639dc692b5bff2fb199c5

SHA1
7b1b4fdb3f9b4f94af40682026b5367347bc8bc5

SHA256
cfc8cc21ac16b078291139cdfed435de23bd4144d238828063c48d26e42827fb

SHA512
a545142c3e06c6d36e610962d46f229ada793a9e73da4251d40f15f2f31bafcadd80d17a94f8bd4edb1e9dc98344df3ad65fcdaaf71235a279e2b10a4c3d8afb

Download Submit