8a94283b22740fd21136a65040deeedba5048f66345e009c77d397ff80bc81b2

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 21:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
Size

492KB
MD5

faebdafafc71fb691ec8b4233b457219
SHA1

447e96b0e69b131e54a82492f0034a852a0650d8
SHA256

8a94283b22740fd21136a65040deeedba5048f66345e009c77d397ff80bc81b2
SHA512

00de20292d33d25338f6904deb2e339d76519a2e76d6874db5f4bb0cb9fe1e19d7c9579753112c56f0955108625d3a9f391f77e3bf85c2102c0a4395cef4bd56
SSDEEP

12288:vXOqjdBB1SUhySAgRsZOWvw724MmU1zYvMaguBcC8t:vpB1dhTs0qAMmU1svMJ0c

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	330d.exe

Executes dropped EXE 4 IoCs

pid	Process
4928	330d.exe
3068	330d.exe
4300	330d.exe
4492	mtv.exe

Loads dropped DLL 33 IoCs

pid	Process
1436	regsvr32.exe
4300	330d.exe
4032	rundll32.exe
4516	rundll32.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe
4300	330d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/330e.dll,Always"	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	330d.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\30e6.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\330e.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\330d.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dlltmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-5434-16-24	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\0fa	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\0d06.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\068u.bmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.exe	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.flv	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4300	330d.exe
4300	330d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	mtv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4172	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	84
PID 3368 wrote to memory of 4172	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	84
PID 3368 wrote to memory of 4172	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	84
PID 3368 wrote to memory of 4204	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	85
PID 3368 wrote to memory of 4204	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	85
PID 3368 wrote to memory of 4204	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	85
PID 3368 wrote to memory of 1068	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	86
PID 3368 wrote to memory of 1068	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	86
PID 3368 wrote to memory of 1068	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	86
PID 3368 wrote to memory of 4840	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	87
PID 3368 wrote to memory of 4840	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	87
PID 3368 wrote to memory of 4840	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	87
PID 3368 wrote to memory of 1436	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	88
PID 3368 wrote to memory of 1436	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	88
PID 3368 wrote to memory of 1436	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	88
PID 3368 wrote to memory of 4928	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	89
PID 3368 wrote to memory of 4928	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	89
PID 3368 wrote to memory of 4928	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	89
PID 3368 wrote to memory of 3068	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	91
PID 3368 wrote to memory of 3068	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	91
PID 3368 wrote to memory of 3068	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	91
PID 4300 wrote to memory of 4032	4300	330d.exe	94
PID 4300 wrote to memory of 4032	4300	330d.exe	94
PID 4300 wrote to memory of 4032	4300	330d.exe	94
PID 3368 wrote to memory of 4492	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	95
PID 3368 wrote to memory of 4492	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	95
PID 3368 wrote to memory of 4492	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	95
PID 3368 wrote to memory of 4516	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	96
PID 3368 wrote to memory of 4516	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	96
PID 3368 wrote to memory of 4516	3368	faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faebdafafc71fb691ec8b4233b457219_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4172
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a3do.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/a3do.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1436
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -s
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4492
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4516

C:\Windows\SysWOW64\330d.exe
C:\Windows\SysWOW64\330d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\4.dll

Filesize
132KB

MD5
8a3051fc660fe9689098acaf30a5d09b

SHA1
cc113abd87c438fa3452dc6c7b04ea13e6c9900b

SHA256
a1c675e64ee95e0249e27cd91fc984e5972f43aca3df7753e6b7fb253b4544a9

SHA512
78dce589e711fb5169c75e61865570fe862801aa8effc86afd782e2643dfda8c47d87f1e0ee0a031c19d729089253e6ec0de11282b3cd19dd5aee087f19e4d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
192KB

MD5
41cdf443d74f60f05e9bf2e28d6d4c96

SHA1
48e5a58f32493f2a8c98d0e50fb2b8c151133f51

SHA256
1510494080ce2f3adab775ea2e33d2a59d71d3f45887952aead5ad8b81c9c87e

SHA512
c07067cb3d6771f494feb000fe67456e7a3b532267d3cdda134ba7ef1ffdfca298aa8eec4ec0f68319ed202779f0737819ae7e602a9d0789afe50e01360d4901

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
92KB

MD5
c08c8961f9aa365a85d7d52e0d297483

SHA1
6a81f2bee1e948387f2548a0d9b10820d0f11512

SHA256
35eb87a5542ce4684e5d9318c7b7b00bfb022a9814a834e4dbc20637148784e9

SHA512
00f0f0296a859e5a46e58ea6c1f18fcf1751df4632dbbc0b76a8ee9b1d5a2e1f1c535e8d1e5a833ef99fbeb2deacb94e2bdaf098bbc4a0425eb87dfc99953ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
428KB

MD5
c1eea02cd8ba064598a43aeb59518370

SHA1
167ddaed0714539bf8a3bc558731e2358fa6dedc

SHA256
c119158f541c046f598fcc6cfb55bd904b2552e5bca6a123985531f37cbafd36

SHA512
538b2b9fb1a9cda29b98ddfef813e980838d41a9d043b766ae45a6e1bb20eb91a5f505683c1701e608f1baa42ceb1f754b8a7bd36279667af90a93453abe7ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvn3\tmp.exe

Filesize
84KB

MD5
d5ebb29d8c38ee7efeac3aeba33323b4

SHA1
b2809396f9930bd117bea850757e6f96c439f892

SHA256
06d49498baae66de0c96a693b7d1139cf27c3f6b6c91344aa73f620b8774f7f1

SHA512
81bccc2c4e78b8c6fdddd0361bbec514d389d7bffc062d363f7315a0da4032e41fb9dc36fd98ea92797a8a41664ebb3ea6511eeafc2afa9ee333610f1c88da1a

Download Submit