c8b8f23864a911f99f2c1fc9ff9ef7e27d8d8b0a9055e606fd9fa62bb0b159f5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
Size

500KB
MD5

a39de7c2c76a25bb71d476c52726fe0c
SHA1

7e059f0b77f0810235f9b3e8e8c8906df61c6b21
SHA256

c8b8f23864a911f99f2c1fc9ff9ef7e27d8d8b0a9055e606fd9fa62bb0b159f5
SHA512

55099e01c28d70b8626375ce23ff2bfcf007664e1eede1482e0eb0325c54cdb3a876870ea6d980c7f6a98b97c59db45644ffc06a9b5766061bde536d5a1ace4a
SSDEEP

12288:orx3/N1Kj/eszEgLUr7NwmjsKe5ewIZ3y2B9s6:o9310zeUmwm0eni69

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
4984	aaad.exe
4884	aaad.exe
2296	aaad.exe

Loads dropped DLL 33 IoCs

pid	Process
652	regsvr32.exe
2296	aaad.exe
2860	rundll32.exe
4544	rundll32.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe
2296	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\8ado.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\00f1	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-29-21-71-123	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\64a.bmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.flv	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\64au.bmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\864d.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\0d06.exe	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{A9D0E35F-0176-4CFB-971B-A1CB317B1738}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{A9D0E35F-0176-4CFB-971B-A1CB317B1738}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2296	aaad.exe
2296	aaad.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4956	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	84
PID 4704 wrote to memory of 4956	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	84
PID 4704 wrote to memory of 4956	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	84
PID 4704 wrote to memory of 2720	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	86
PID 4704 wrote to memory of 2720	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	86
PID 4704 wrote to memory of 2720	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	86
PID 4704 wrote to memory of 2968	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	87
PID 4704 wrote to memory of 2968	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	87
PID 4704 wrote to memory of 2968	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	87
PID 4704 wrote to memory of 2584	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	88
PID 4704 wrote to memory of 2584	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	88
PID 4704 wrote to memory of 2584	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	88
PID 4704 wrote to memory of 652	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	90
PID 4704 wrote to memory of 652	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	90
PID 4704 wrote to memory of 652	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	90
PID 4704 wrote to memory of 4984	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	91
PID 4704 wrote to memory of 4984	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	91
PID 4704 wrote to memory of 4984	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	91
PID 4704 wrote to memory of 4884	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	94
PID 4704 wrote to memory of 4884	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	94
PID 4704 wrote to memory of 4884	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	94
PID 4704 wrote to memory of 2860	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	98
PID 4704 wrote to memory of 2860	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	98
PID 4704 wrote to memory of 2860	4704	a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe	98
PID 2296 wrote to memory of 4544	2296	aaad.exe	99
PID 2296 wrote to memory of 4544	2296	aaad.exe	99
PID 2296 wrote to memory of 4544	2296	aaad.exe	99

C:\Users\Admin\AppData\Local\Temp\a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a39de7c2c76a25bb71d476c52726fe0c_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:652
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4984
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -s
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2860

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
220KB

MD5
0b422cf9c08b39a046ddeb7193c4be0c

SHA1
0c6e280bf70866548431bd7d55598ce95d581952

SHA256
602704f54c027087a8e8d8c74fad2448bc8ce064c547a0367a8d52b38e4ee4dc

SHA512
7ec417e02682bc3610262403fe1d66474deaecc924849832ec55090f7f80b57445cb2c0caa1a0a33eec6ef5e1d8bc2c024f61b55926bd0fd2b1ccd7790db4706

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
600KB

MD5
a81aeb122db6cd0a2ae7495c1381a461

SHA1
a43fb28ac482edde23696d34ded08b38afd741a3

SHA256
ff05b22600b1d1135cc0cdf51c9f744695acc832d3371c22107941b5be94f753

SHA512
7d8e1469d3fc99e05db1317fb4baa8ab3d2ceaca4d4ebff482f76b5d1145d8b5d61a69c067dc435ae0f7c0e7e999de88d9c2b7134a641728790d7f7b62bf350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
148KB

MD5
3c6bcbd771c39e6fdf686c819cde5258

SHA1
34a36dc1d66b02274fbc080f2da407557e0724f5

SHA256
1c842e2d37e9870e1bff3679093779561c8af17582bcba56a35725505d871a7e

SHA512
3e9c5e4862e75226bf6fcd7ecdd1c02090fafbada342fb72b37b5b3539a11b561c3ca35acdfac274cba4613109e5297a6cba6b0e64a0623d0e02a77a23449a89

Download Submit