7974da1e217fad12742b5942c33883ef72e456ca752ec9487e2474bc68e70976

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
Size

560KB
MD5

d9aa1f618dccc2f6cafb6b9f1339ee86
SHA1

5cf5287f3aa9460c8f7f53d7517d14dc35783506
SHA256

7974da1e217fad12742b5942c33883ef72e456ca752ec9487e2474bc68e70976
SHA512

616e5c935660bdfb8b7e8c73d3acf8cb9a89b45691d8ee20ee9196448552e79bf562d83ba5b91b91f2f50e79941e0419cd549c4924d3213e524b9605c9e7d2ce
SSDEEP

12288:x/WyRyr3DkhukgRr0fX1ggXfSMlOR9zmOM5P6/LxONGuHnH3DTWlk5A3:x/Kr3IhuRei2/9OinxH3RK

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	330d.exe

Executes dropped EXE 4 IoCs

pid	Process
1260	330d.exe
3976	330d.exe
2344	330d.exe
2100	mtv.exe

Loads dropped DLL 33 IoCs

pid	Process
684	regsvr32.exe
2344	330d.exe
3080	rundll32.exe
2296	rundll32.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe
2344	330d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	330d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\30e6.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\330e.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\367184-24	rundll32.exe
File created	C:\Windows\SysWOW64\26e46	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\330d.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\0d06.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
File opened for modification	C:\Windows\068u.bmp	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\VersionIndependentProgID\ = "BHO.TttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ProgID\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{EBF93111-7A1D-4843-A998-0AFE8FE5F325}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ = "ITttPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{EBF93111-7A1D-4843-A998-0AFE8FE5F325}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	330d.exe
2344	330d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	mtv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4948	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	86
PID 1776 wrote to memory of 4948	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	86
PID 1776 wrote to memory of 4948	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	86
PID 1776 wrote to memory of 2628	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	87
PID 1776 wrote to memory of 2628	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	87
PID 1776 wrote to memory of 2628	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	87
PID 1776 wrote to memory of 3992	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	89
PID 1776 wrote to memory of 3992	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	89
PID 1776 wrote to memory of 3992	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	89
PID 1776 wrote to memory of 4692	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	90
PID 1776 wrote to memory of 4692	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	90
PID 1776 wrote to memory of 4692	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	90
PID 1776 wrote to memory of 684	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	92
PID 1776 wrote to memory of 684	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	92
PID 1776 wrote to memory of 684	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	92
PID 1776 wrote to memory of 1260	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	93
PID 1776 wrote to memory of 1260	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	93
PID 1776 wrote to memory of 1260	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	93
PID 1776 wrote to memory of 3976	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	95
PID 1776 wrote to memory of 3976	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	95
PID 1776 wrote to memory of 3976	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	95
PID 1776 wrote to memory of 2100	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	98
PID 1776 wrote to memory of 2100	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	98
PID 1776 wrote to memory of 2100	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	98
PID 2344 wrote to memory of 3080	2344	330d.exe	99
PID 2344 wrote to memory of 3080	2344	330d.exe	99
PID 2344 wrote to memory of 3080	2344	330d.exe	99
PID 1776 wrote to memory of 2296	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	100
PID 1776 wrote to memory of 2296	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	100
PID 1776 wrote to memory of 2296	1776	d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9aa1f618dccc2f6cafb6b9f1339ee86_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3992
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a3do.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4692
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/a3do.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:684
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1260
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -s
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2296

C:\Windows\SysWOW64\330d.exe
C:\Windows\SysWOW64\330d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
167KB

MD5
9d0f7c77b79519b75acf46a4148f8503

SHA1
2aaeacc8522f4e657d9107fa1e0e1b7b607393af

SHA256
3888598820b77a12daefc78258021c772ad8c421c77c284ef5a9f7f5c39a1f63

SHA512
ad15e04d54052cfeaf67d92bb5643d077b9fbbacb8b1ca2c571cc8ce4df40e95d6d83ef502a066a94f2384cac778a1410ff174ce8f6c0a4835a98e01dffec4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
112KB

MD5
a1e5c39faa4f39100a5fbfe919e6a54c

SHA1
ba5912487014655330ba29e3e67d99b4435c5870

SHA256
9de19effd57cf8d60de9544fd9decf4e89f36ab58946e7eed7132aa8229652c5

SHA512
525584ce90af5b3746358b62328598b12077dfd156b3ab61cf7c7c63d860a046a478e93a8308710cbc2b7aceb7e0ac695ec4a43d92769fbe3bf2b0c25dad74ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
456KB

MD5
c86ca33edcc0ae668b642b7faefd2fa2

SHA1
0e1a6be44cd357096c49aa3688e0b44fc59547d6

SHA256
ab765adedc6bfb24e817c4c24ef14cf921edfa5f6a9ff394236c190220e94851

SHA512
9bf3ec8bd462aff180edff8b9f46f23621ae767a84538421217056bf8f88cc9fa53dc1d79d43e4f93011e60c6e555e5011c248a7da8d3af8d0808d80a54581b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
184KB

MD5
2eaaa3e189e019875357c009bda4b9fe

SHA1
e766992580432a61eb48a352cfa5950c24ffb881

SHA256
9096c8e171506bd2e421ea157f3e35d2eb6a6ddfa60548042f94f0c731559e19

SHA512
2ec1cbaea2a0a12da1eee2ba596784cdd98a5fc321078079e1ea35573ddccc1e84603bdf558d1c2071195c1af35a2e0553dc708d8c6142947afc9d67fd9be28f

Download Submit
C:\Windows\Temp\tmp.exe

Filesize
68KB

MD5
b04303ecca69f25fa2c7116c24cc8263

SHA1
65d3ab04ffbe4b3ed6f23b9c35f786dcbb9bb8e4

SHA256
d7edbee543209ff9ab009959576e198f1cb2a4d7e5bdc806402a81b9f7c2d35d

SHA512
556735bb28562d3dc8eddd28a9ddb02593a380fc9532d891d4790347caf6516720adfb90bc9f29d2841a143200ea7d0ce63bbe66cb542480a664af865d86c8df

Download Submit
memory/684-57-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1776-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1776-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2344-74-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2344-106-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2344-119-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2344-125-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2344-128-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2344-132-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download