f6791f317ce9a8151584bd59f746ee5a73e10fe136edaa9cd8b87c3764b1a392

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
Size

496KB
MD5

bbfa62b6c7c379f1272b0b199d754d8e
SHA1

906aa1f059cf51351a02fa2d78bd20e12b4f0d4c
SHA256

f6791f317ce9a8151584bd59f746ee5a73e10fe136edaa9cd8b87c3764b1a392
SHA512

0473d624e91442049c90ac892c405622fe473ff373b0f6aa3f99a895b6c4859001aba8fd20db530022d6f186eadf14cb938fb3cb97e9c9fcd57fbde2dab286bf
SSDEEP

12288:hW0d5M1ibCZ87uR7RDdbXtQKDhh25cvU2KlwoH9ya3k:hZM1a5eRBrZX0BlBwh

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

Executes dropped EXE 4 IoCs

pid	Process
2760	36bd.exe
2320	36bd.exe
844	36bd.exe
2400	mtv.exe

Loads dropped DLL 54 IoCs

pid	Process
3012	regsvr32.exe
948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
2760	36bd.exe
2760	36bd.exe
2760	36bd.exe
948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
2320	36bd.exe
2320	36bd.exe
2320	36bd.exe
844	36bd.exe
948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2400	mtv.exe
2400	mtv.exe
2400	mtv.exe
3008	rundll32.exe
3008	rundll32.exe
3008	rundll32.exe
3008	rundll32.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe
844	36bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/36be.dll,Always"	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\353r.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\0b2d	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-14-68-78-15	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\b3cd.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\480.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\0acu.bmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\cd4d.exe	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\d48.flv	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\3cdd.flv	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\cd4u.bmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\b5b3.bmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\436b.flv	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\cd4d.flv	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
File opened for modification	C:\Windows\80a.bmp	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
844	36bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2400	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 872	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	29
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2964	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	30
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2772	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	31
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 2936	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	32
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 3012	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	33
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2760	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	34
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 948 wrote to memory of 2320	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	36
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 844 wrote to memory of 2152	844	36bd.exe	39
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 2400	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	40
PID 948 wrote to memory of 3008	948	bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfa62b6c7c379f1272b0b199d754d8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3012
- C:\Windows\SysWOW64\36bd.exe
  C:\Windows\system32/36bd.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\SysWOW64\36bd.exe
  C:\Windows\system32/36bd.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\grtq4oe\tmp.exe

Filesize
120KB

MD5
54a3b2f86b8e360f39a144dee99994eb

SHA1
8d195a8b4a1f613514cb9e9bdcc6b6d3280ca616

SHA256
a4bf455098ca62ceca877096109d61b9f9d2802afc0b24b53c3907fb7fc02f4e

SHA512
f3f7f3cf4b6ae09715078d6e5c3cc3539059691d2a02a660a505c8231eafdfedce2a222306a753375200770ce5f70efd2816740fe1f0c26d387935154be2c974

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
184KB

MD5
2190978ef3dee3f2e29ab54cc98dbe8a

SHA1
93fddaa205bf371da0413c22c09c3e79e2aa51e8

SHA256
85313518b5554637111fbe7b7dafa54fddb1d8428ab3a3d883dd9d86badb5afa

SHA512
7a382f3f2c5115d40d10421d8458636404753ce22a398f863ffd5a6e5fbababa78d14ea4484f931d69b9b736db1988a46157ebc8950bce02f26c4a7481dfee5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
84KB

MD5
771f91af339ab52cc66f63fb171ae7b0

SHA1
4391b51a4a15b79a78140d4f4ca92e207c07eb82

SHA256
0457d177bbbf699519eb5f8a3cea196174bc5bf62192fe5a00d92c9f464e052e

SHA512
1c5366c15ca07040216d4f06af4e05b5692825dcc44aa85818df7875df34efd242aa0fb5ddd3baa8a2976804b1626183b4b8837393a0e3bdd666ead73570ae4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
450KB

MD5
0868c323e25de4fe3028361b2a3efcb5

SHA1
206a2a7db20935a3ca3fd98c3b6be93a70c0e9f1

SHA256
de00555b22029d11fd06ae23d933150bb8a3ab3cd76cf3f96a1453c8f2f7de87

SHA512
b7b151a3e1fa79672da0d4aec2772a3b72634bd36376176a47f32e0dbb6baeb162740ff40dab5489fd6e37636765c6003179568cba5e989dd2a9bd74c9c55dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
156KB

MD5
3152b59ff9b7676e51d6557c60c47f1b

SHA1
60438af8827826a5009692c027cf87b884046a71

SHA256
f0fb16b506fc2a26307617dfec3229383f669efb13e507332e9cd7798be226ad

SHA512
cb0017857ef33345f18b6eff22568b75c35fe40f5d14ce956c660187921e142519cef0b2cb207139eecfcdca40c76b7d91c53415729f8f9bc15a58326e3eb1f7

Download Submit