69aeb7890b064c9ad9eea45cd2417c2b0efbae19680814bd81b42108f3231296

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
Size

520KB
MD5

17c68e452dc580d1d13839152dd7f5cf
SHA1

37da16ca017e6e71ff3e7cb400c7730dd6367474
SHA256

69aeb7890b064c9ad9eea45cd2417c2b0efbae19680814bd81b42108f3231296
SHA512

ea5b6e6ee54004d7aa57d9fd0ed304b0e2a6db641144f84a5bf26704657cf5511512f5cc0aeab935406932f2732826157b83f2609e3ba1f54bf1cc6920dd5970
SSDEEP

12288:qJupwI3iV2ENXh2mqBMi/n+usQe2dG1p0CCbbQrLY8MkK2G0:qPI3Q2yh273v+seqG1p07H8MkfG0

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
2672	aaad.exe
1676	aaad.exe
2920	aaad.exe

Loads dropped DLL 49 IoCs

pid	Process
2552	regsvr32.exe
1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
2672	aaad.exe
2672	aaad.exe
2672	aaad.exe
1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
1676	aaad.exe
1676	aaad.exe
1676	aaad.exe
2920	aaad.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe
2920	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0c5d	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\97-111-98-107	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\0d06.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\64au.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\864d.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2920	aaad.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2844	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2588	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2868	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2940	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2552	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	34
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2672	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	35
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 1676	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	37
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 1728 wrote to memory of 756	1728	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	40
PID 2920 wrote to memory of 1232	2920	aaad.exe	41
PID 2920 wrote to memory of 1232	2920	aaad.exe	41
PID 2920 wrote to memory of 1232	2920	aaad.exe	41
PID 2920 wrote to memory of 1232	2920	aaad.exe	41
PID 2920 wrote to memory of 1232	2920	aaad.exe	41
PID 2920 wrote to memory of 1232	2920	aaad.exe	41
PID 2920 wrote to memory of 1232	2920	aaad.exe	41

C:\Users\Admin\AppData\Local\Temp\17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2552
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:756

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
228KB

MD5
0a2ed118d197baf73219be2b85ac6572

SHA1
454393629e515e9cd942e823e2a37b40fb424a5c

SHA256
dd75dd5795f50c516b7749251cc9513b8f41d2c617e358bc2e2d46b6c8c1e0a3

SHA512
8017bbb6f5b4d4f893f69d1eedeb6f365c22bba98ae81eb721adcbcf031083a4fb78d3bad4844651298eb47aaeb550c17f4eedd7a72005564d6169b0080ef9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
424KB

MD5
db749aaf5b79dcec330464f26ff51bc5

SHA1
42495c238d95b71c45923e270d98832be795ad32

SHA256
0fcf9fc0932346eadfa39ad3c3f6fa569226334306a40e8469282d4e744c0c24

SHA512
4d51d053385bd8edef23c77b02edc229152ad490e1e6d5efff4eb3336d4c318bb4d970c25bc5bea4795ebb1d98c10440d176770e7086eaabbcf868eec4b5a550

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
132KB

MD5
f0c3079153c2fe00eba4751dd06d3c35

SHA1
f538cbe127b077cbda5f594a8eb3ea647014561f

SHA256
cd0c1ba8dce242a692cdf46f65f27568b5605ae41108b2bcc97fbaa82a2239fc

SHA512
3c6b72db3f8ddcc6a265953b12697275fd474d6b3d16dc57089e903501c7745cf434f3e1cdb1eb6a8c10bb19600d6a5c21c5d2a18aa28a9f4ed581895eab4439

Download Submit