69aeb7890b064c9ad9eea45cd2417c2b0efbae19680814bd81b42108f3231296

Analysis

max time kernel
148s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
Size

520KB
MD5

17c68e452dc580d1d13839152dd7f5cf
SHA1

37da16ca017e6e71ff3e7cb400c7730dd6367474
SHA256

69aeb7890b064c9ad9eea45cd2417c2b0efbae19680814bd81b42108f3231296
SHA512

ea5b6e6ee54004d7aa57d9fd0ed304b0e2a6db641144f84a5bf26704657cf5511512f5cc0aeab935406932f2732826157b83f2609e3ba1f54bf1cc6920dd5970
SSDEEP

12288:qJupwI3iV2ENXh2mqBMi/n+usQe2dG1p0CCbbQrLY8MkK2G0:qPI3Q2yh273v+seqG1p07H8MkfG0

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
4216	aaad.exe
3168	aaad.exe
2368	aaad.exe

Loads dropped DLL 33 IoCs

pid	Process
3812	regsvr32.exe
2368	aaad.exe
2152	rundll32.exe
2124	rundll32.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe
2368	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\03ca.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-35-107-90-48	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\2961	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\aa0d.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\0d06.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\864d.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\64au.bmp	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.flv	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	aaad.exe
2368	aaad.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4448	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	82
PID 3160 wrote to memory of 4448	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	82
PID 3160 wrote to memory of 4448	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	82
PID 3160 wrote to memory of 1108	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	83
PID 3160 wrote to memory of 1108	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	83
PID 3160 wrote to memory of 1108	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	83
PID 3160 wrote to memory of 1540	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	84
PID 3160 wrote to memory of 1540	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	84
PID 3160 wrote to memory of 1540	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	84
PID 3160 wrote to memory of 1932	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	85
PID 3160 wrote to memory of 1932	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	85
PID 3160 wrote to memory of 1932	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	85
PID 3160 wrote to memory of 3812	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	86
PID 3160 wrote to memory of 3812	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	86
PID 3160 wrote to memory of 3812	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	86
PID 3160 wrote to memory of 4216	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	87
PID 3160 wrote to memory of 4216	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	87
PID 3160 wrote to memory of 4216	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	87
PID 3160 wrote to memory of 3168	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	89
PID 3160 wrote to memory of 3168	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	89
PID 3160 wrote to memory of 3168	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	89
PID 3160 wrote to memory of 2152	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	92
PID 3160 wrote to memory of 2152	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	92
PID 3160 wrote to memory of 2152	3160	17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe	92
PID 2368 wrote to memory of 2124	2368	aaad.exe	93
PID 2368 wrote to memory of 2124	2368	aaad.exe	93
PID 2368 wrote to memory of 2124	2368	aaad.exe	93

C:\Users\Admin\AppData\Local\Temp\17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17c68e452dc580d1d13839152dd7f5cf_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3812
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4216
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -s
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2152

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
260KB

MD5
1d6372e2a16850bcbc9c5b805774329c

SHA1
0e8d3c5d1d5a69fba6c7c20625e97be339e26a90

SHA256
e2d7e9e6d62fad91805349d0a1576d90fe5fe566c9925b60005903d5d445898c

SHA512
d98369fa3f7f308ef2de02b6f6dd816b2db2e7cb30f304b1ec3da6b84ff3ac94b9647e2f0fe08982d9641636210c7f59f50c41b997d7411191429351209cffbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
424KB

MD5
d2293371426e3db8f0986d4576ee33a1

SHA1
d13c0c3841edd5f1f8c7682d10d778478d264261

SHA256
a81fa39319acdb2f347e6716c3f89eed54c827a5e776d7149b21f480f76aacd9

SHA512
01a78493cb6df2de52f79efefd6b9757be030b953d5736ac9e886432b163ff8cf2757a6c5af0abc2987a7ede87c7007b2b7e52353cbdb3f15fd407ee0045c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
164KB

MD5
736fbaee7046abdba63c4865468ac51b

SHA1
e95d118129582a4061bd280aa1c455dd5356a670

SHA256
378e9b6612ea3d5074acec3716f790e8c74aa60acc24b4876c8e26c2ec173394

SHA512
d493510b93dffa41b63db2ac777c488df5360ed556cbfbe55766856eef91e9055cba1d169373713abc9b7d62c2895f56357a0b7b40b7d9fe2a866589a0dafe58

Download Submit