7974da1e217fad12742b5942c33883ef72e456ca752ec9487e2474bc68e70976

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
Size

560KB
MD5

d9aa1f618dccc2f6cafb6b9f1339ee86
SHA1

5cf5287f3aa9460c8f7f53d7517d14dc35783506
SHA256

7974da1e217fad12742b5942c33883ef72e456ca752ec9487e2474bc68e70976
SHA512

616e5c935660bdfb8b7e8c73d3acf8cb9a89b45691d8ee20ee9196448552e79bf562d83ba5b91b91f2f50e79941e0419cd549c4924d3213e524b9605c9e7d2ce
SSDEEP

12288:x/WyRyr3DkhukgRr0fX1ggXfSMlOR9zmOM5P6/LxONGuHnH3DTWlk5A3:x/Kr3IhuRei2/9OinxH3RK

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	330d.exe

Executes dropped EXE 4 IoCs

pid	Process
2392	330d.exe
2412	330d.exe
2008	330d.exe
1120	mtv.exe

Loads dropped DLL 54 IoCs

pid	Process
3020	regsvr32.exe
2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
2392	330d.exe
2392	330d.exe
2392	330d.exe
2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
2412	330d.exe
2412	330d.exe
2412	330d.exe
2008	330d.exe
2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
1120	mtv.exe
1120	mtv.exe
1120	mtv.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe
2008	330d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	330d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\330d.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\5562-115-127	rundll32.exe
File created	C:\Windows\SysWOW64\6ee	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\330e.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\64a.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\068u.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\0d06.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{EBF93111-7A1D-4843-A998-0AFE8FE5F325}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ProgID\ = "BHO.TttPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{EBF93111-7A1D-4843-A998-0AFE8FE5F325}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\VersionIndependentProgID\ = "BHO.TttPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2008	330d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1120	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2920	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	31
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 3032	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2760	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 2756	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	34
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 3020	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	35
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2392	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	36
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 2412	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	38
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2132 wrote to memory of 1120	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	41
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2008 wrote to memory of 2016	2008	330d.exe	42
PID 2132 wrote to memory of 380	2132	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a3do.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/a3do.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3020
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1120
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:380

C:\Windows\SysWOW64\330d.exe
C:\Windows\SysWOW64\330d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
127KB

MD5
c44475c5e64b45ce2910dd3bdfa5a0e0

SHA1
d8c6a6b54c32d6bc4d3e48101e3605bf4f088da9

SHA256
e076a28d466ea41aa211812df427f3906cc6b68a0affa257a8be2042a8cbfa37

SHA512
1e7e7e833a265c785311ffbb249bcf4a15143353e1efa74c68481d25cfcdc0c2160686d27760a43d287002ae13924309017389cbfa39f72b06584639bd530bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
116KB

MD5
5e9455c45408eba826680874fbb8e043

SHA1
e51f503c87d2a83ef24c8cce2c4f2158a9b80313

SHA256
06770f3fe00138b4e524d16a8f4210b91efe6983959e8fdf0747ae91fb82d998

SHA512
300635c3709bff8199cfb41aeff429cf96375cc41e1cbdbd9feb0aa6399068b3a890c4297eeb760aaacb1447e19479182f3f7e933d658bb341bd6fe0aa40fc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
432KB

MD5
7f9f214caef3a685508fe1723967e9b4

SHA1
5168c69655b024afa07b94622dec40490028a571

SHA256
c706f1cb935ab7a896c55503c9d2bf90e2c4db85c9277dd4c336fe6329bce918

SHA512
72685992fc51687011261206efd6583663930f39f8df29eb60cb873483016751bd5d92c684829cb48a9e0764bee0d9967adef6e7186b4ddfcdbf5213a0ca323f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
204KB

MD5
7b81dd0c97123ce2166ff3cf10c58f6d

SHA1
25b059eaa3fd914d229e972480cf1a14ba289f73

SHA256
ca8b3f8ae6dbd12203be826adc8e6aab75a2edc27c23fd97d241a9f6cdbdbd7b

SHA512
22ab52a088c4e456affae5e8c86c00596ca63b1df1f39a6fbb7ac051e9dd06b32f7fa3db7f8077846fa8ddeda21cd1e9c838f5addd0a8fff7323cf1fe10da474

Download Submit
C:\Windows\Temp\tmp.exe

Filesize
56KB

MD5
b98422eab6cf6c8259ac650bcb62496d

SHA1
8123e3a23d642244b0d79f88af14d3990cf6d918

SHA256
c7f3bc268d705951b9c7e30073819b2fb3a7f0fe291b8f0f35697ff95986342c

SHA512
11455cacb8a4fce9c575b0e7ecff1e81ac5a0323ac950debf872a0f2f5c744e723c996f8452f3299c72db67bcbb6da9fb6fff08221eb496cb0a996172d19f242

Download Submit
memory/2008-136-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-161-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-86-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-173-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-170-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-168-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-138-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-141-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-144-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-149-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-154-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-156-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-159-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2008-165-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2132-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2132-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2132-1-0x0000000000310000-0x0000000000390000-memory.dmp

Filesize
512KB

Download
memory/3020-60-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download