dcf95a5bfabce250d75678c38ee6b3fc536b667f2d5c23e745f68999d54b5887

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 11:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
Size

616KB
MD5

39bcf9456bfcb8158f1b4fa241175a2b
SHA1

b4a833193f50f64dd9398b4fd60623d8f74231fc
SHA256

dcf95a5bfabce250d75678c38ee6b3fc536b667f2d5c23e745f68999d54b5887
SHA512

896f37048a6cf93849c06804ebdcbf7c2bd3784912244ea26a098d3c8624992c01126fd9df4550b11847a3991c31875daddb27844c26f528c2176dedae39f67b
SSDEEP

12288:qJupwI3iV2ENXh2mqBMi/n+usQe2dG1p0CCbbQrLY8MkK2VmKrLA6Ub:qPI3Q2yh273v+seqG1p07H8MkfVm+Ex

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
812	aaad.exe
4760	aaad.exe
4140	aaad.exe

Loads dropped DLL 33 IoCs

pid	Process
2444	regsvr32.exe
4140	aaad.exe
2916	rundll32.exe
3724	rundll32.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe
4140	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\03ca.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-1095-8993	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\272	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\686d.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\864d.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.flv	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\0d06.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\64au.bmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4140	aaad.exe
4140	aaad.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 2028	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	86
PID 3808 wrote to memory of 2028	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	86
PID 3808 wrote to memory of 2028	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	86
PID 3808 wrote to memory of 1460	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	87
PID 3808 wrote to memory of 1460	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	87
PID 3808 wrote to memory of 1460	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	87
PID 3808 wrote to memory of 1552	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	88
PID 3808 wrote to memory of 1552	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	88
PID 3808 wrote to memory of 1552	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	88
PID 3808 wrote to memory of 3744	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	89
PID 3808 wrote to memory of 3744	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	89
PID 3808 wrote to memory of 3744	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	89
PID 3808 wrote to memory of 2444	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	90
PID 3808 wrote to memory of 2444	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	90
PID 3808 wrote to memory of 2444	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	90
PID 3808 wrote to memory of 812	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	91
PID 3808 wrote to memory of 812	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	91
PID 3808 wrote to memory of 812	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	91
PID 3808 wrote to memory of 4760	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	93
PID 3808 wrote to memory of 4760	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	93
PID 3808 wrote to memory of 4760	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	93
PID 3808 wrote to memory of 2916	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	96
PID 3808 wrote to memory of 2916	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	96
PID 3808 wrote to memory of 2916	3808	39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe	96
PID 4140 wrote to memory of 3724	4140	aaad.exe	97
PID 4140 wrote to memory of 3724	4140	aaad.exe	97
PID 4140 wrote to memory of 3724	4140	aaad.exe	97

C:\Users\Admin\AppData\Local\Temp\39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39bcf9456bfcb8158f1b4fa241175a2b_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3744
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2444
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:812
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -s
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2916

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
200KB

MD5
a6f4ce60d36f1d0fb1564c07bd3ea8c0

SHA1
ae5f0d49c0b9e03e92ca7d979aaf433c88a56c28

SHA256
a5de325bea057bbef0df9911aea634f31cb750021d124c719903213decd3debe

SHA512
491cf79ec551a659468f02c77657740592127d9782e89a54e9d7d1bb8ffaad220261739ddd4f5d070ba56c5e8616d06c593821effb2f8019e4fa480e2926d79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
396KB

MD5
b7235ea90b84274937c4f0f40af8812d

SHA1
83b9525b7df4438198ecda8ccfd45f0155a1fc04

SHA256
31c6ff63b0d3d4a644c37e68eab4eaeec6fa75577476723a11890cb95017ca89

SHA512
3f0f953559ddfde5aa8736e15a6dcf3d75fce90b242f7a1ed3fc2cd6f0f31b793bd1afc1c01fac103131359ba298a7d1f476436a7e0684de112dfded4ba2e3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
136KB

MD5
94477dd07e8037982d257a0045fbb4d3

SHA1
392f00ebb616ff4658f67b642c451159b67c9bc6

SHA256
a128b9dd0b9b7fc19a9a98c16e23728cfc60748c3d6fdcba6b98e7d2f6bbeb70

SHA512
5d5b488b35084ca23b7ea4e2e956449f96f8e0c5ef9df3771ec019e52359d9e7e56e9a571fcd58ca54ca2561701f9a80f0f90d39968e3a830860d081cdd6c222

Download Submit