Overview

overview

8

Static

static

3

ae929ed213...18.dll

windows7-x64

8

ae929ed213...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae929ed213a21693e756f1d1e371fa2f_JaffaCakes118.dll

  • Size

    339KB

  • MD5

    ae929ed213a21693e756f1d1e371fa2f

  • SHA1

    e053b8d49a084174667b88c11dad8df4db5db475

  • SHA256

    732c1087609d0caefc85dcbe690beb80dc8446fe0174e764d1ae70d26585e2a2

  • SHA512

    9041f521590c6938e9efa434a37682caa0f5e7427a59c2214a82b93f6c076cd500348d3eb6ac37e8d8abcbeda250ccecd25847d1639730c49ed522708cf4c630

  • SSDEEP

    6144:OL49uYqfNWE/4rcPmsgeRwOuweho3ariB3Ndzj6CpYUmmN2vPaUzW4:VBqFX/2cPMtWq2bWCpYU0O4

Score
8/10
adwarebootkitdiscoverypersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 45 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae929ed213a21693e756f1d1e371fa2f_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae929ed213a21693e756f1d1e371fa2f_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2824
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2888
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2908
      • C:\Windows\SysWOW64\36bd.exe
        C:\Windows\system32/36bd.exe -i
        3⤵
        • Executes dropped EXE
        PID:2636
      • C:\Windows\SysWOW64\36bd.exe
        C:\Windows\system32/36bd.exe -s
        3⤵
        • Executes dropped EXE
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
        C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1640
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1612
  • C:\Windows\SysWOW64\36bd.exe
    C:\Windows\SysWOW64\36bd.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
    Filesize

    67KB

    MD5

    8cdc873c0629afa3b392b231849230de

    SHA1

    7fc0868248e0c72a25b9f2dcbbd541537ab4e018

    SHA256

    b1f839c50341af463a0f165ee65bea649692c82ced33bf4bbbb2a40e6190e254

    SHA512

    21502462ba27b5548d53b8e7829ddbacc47552260552854fb5305cbf1302e928c60e20cd82c776e336f26126019d4a9ea65c3968515bdef4734d9e5d94da4332

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
    Filesize

    178KB

    MD5

    5819ba57bdb4b225529d6aa9fa1b9726

    SHA1

    7ed4a4e1b82df6080ddafda20ae0f606eedc1eb4

    SHA256

    dfef78b03c47b13c891ca6079534422e5913d8b13ebb66865db89dfad6b6db1e

    SHA512

    f6635fd4a5f7f3f0a172eac1ad9b87301df2a9bc98bb4f34f72c1addc5e29f438e05dbee4546dc6a4e82871b8e3058dfb41e65b7baaccd8aadc8f5ee09517d93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
    Filesize

    216KB

    MD5

    beb77a3a4321e6aa0db9e4806ca0b404

    SHA1

    35aa63000f3e5ad34036b460d14b864e57fe4217

    SHA256

    6a11e2307552a6cabd20c9b486e7888591d9ef4dced2f8ce21c1b1a31d9e52b0

    SHA512

    e6ef8e9d51e860c697179a4892876cbbf7047a1456a89c1865b72dcd6872803cea1c20b4a50f201a88b2547604df864dfe003daaa89c55a4c422030517822a7c

    Download Submit

  • C:\Windows\Temp\tmp.exe
    Filesize

    116KB

    MD5

    1fbbc7ac29b085b431309615f59384b3

    SHA1

    e473b19432907ebff226084a5b5f85a9150aa0e2

    SHA256

    94a4ce11dc4ae8a5952ff6ca3ecd0845778576cb352d1e5d93c06253adadc305

    SHA512

    6ecb01361fcb1b7464c007236583a79100ce80e10a0b9ab5304b48ec1ed6572d12ddff2da5c7ce1f3d375a9430da8764932618ee31ede01dbe88b0b808d342a0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    Filesize

    100KB

    MD5

    e892a2a9c083204275eec3c2cb765441

    SHA1

    a0c4ac689f3ab82f7fb5f8229e17818f3526e6f4

    SHA256

    de7c9eefabb49beff86879694e77451371bcc782ecfc20fb6ebe36ada8fb8fc9

    SHA512

    f81d69d23511dec4423795fac54f61fc89a49feec6e0bc93af2f43953b093457e75be1c71a40b338889bdceb7b06003dd4162394adbb612dc41c49d97990f98b

    Download Submit

  • memory/1612-131-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2108-4-0x0000000000100000-0x0000000000102000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2108-3-0x0000000010000000-0x000000001006D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2108-2-0x0000000010000000-0x000000001006D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2108-1-0x0000000010000000-0x000000001006D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2108-0-0x0000000010000000-0x000000001006D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2464-180-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-166-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-208-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-206-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-205-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-83-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-133-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-202-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-136-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-140-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-199-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-142-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-145-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-200-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-147-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-150-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-154-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-156-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-160-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-163-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-165-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-196-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-169-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-171-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-174-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-177-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-176-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-181-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-193-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-183-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-186-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-187-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-190-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-189-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-194-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2696-114-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2696-144-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2696-139-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2696-135-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2696-111-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2696-112-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2696-113-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2908-59-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download