Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 21:50
Static task
static1
Behavioral task
behavioral1
Sample
4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
-
Size
488KB
-
MD5
4a2be3af52f74b5f5120b8431e5610b8
-
SHA1
397f18e3d2a592bf479d35c82e7a76a5d3391967
-
SHA256
b57fd996f2bcb3d3c09ead04b388a9fc619018985e26be74a65efbb4487462e2
-
SHA512
2eebb9f8f4b041599e4b17156b3fba377b36a2bb08bf0f7b78b503bcc7c34a53cb2fcf3fceb1efb3cdd24e82b00a9f4f24eaeed6caa5f348a4be5d84e54a1448
-
SSDEEP
12288:T33Q9q2bGUVa0eJqj6ACNTuihvSlqP37lCMtB64zg:T3bcGUVZeJWUNTThqIP37lh/fzg
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts aaad.exe -
Executes dropped EXE 3 IoCs
pid Process 3132 aaad.exe 1540 aaad.exe 4032 aaad.exe -
Loads dropped DLL 33 IoCs
pid Process 2724 regsvr32.exe 4032 aaad.exe 2260 rundll32.exe 2908 rundll32.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe 4032 aaad.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome" regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 aaad.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\03ca.dlltmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aaad.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\0dr0.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\0ddd.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\da3r.dlltmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\25b rundll32.exe File opened for modification C:\Windows\SysWOW64\8ado.dlltmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\30e6.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\70l8.dlltmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\03ca.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\33u6.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\03as.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\da3r.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\70l8.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\0aa3.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\830e.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\8ado.dll 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\13207944 rundll32.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\aa0d.bmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\864.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\686.flv 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\64au.bmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\686d.flv 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File created C:\Windows\Tasks\ms.job 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\864d.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\0d06.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\733a.flv 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\64a.bmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\4acu.bmp 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\686d.exe 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe File opened for modification C:\Windows\d06d.flv 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aaad.exe -
Modifies registry class 47 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4032 aaad.exe 4032 aaad.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4780 wrote to memory of 1580 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 84 PID 4780 wrote to memory of 1580 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 84 PID 4780 wrote to memory of 1580 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 84 PID 4780 wrote to memory of 2008 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 86 PID 4780 wrote to memory of 2008 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 86 PID 4780 wrote to memory of 2008 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 86 PID 4780 wrote to memory of 768 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 87 PID 4780 wrote to memory of 768 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 87 PID 4780 wrote to memory of 768 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 87 PID 4780 wrote to memory of 2748 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 88 PID 4780 wrote to memory of 2748 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 88 PID 4780 wrote to memory of 2748 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 88 PID 4780 wrote to memory of 2724 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 90 PID 4780 wrote to memory of 2724 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 90 PID 4780 wrote to memory of 2724 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 90 PID 4780 wrote to memory of 3132 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 91 PID 4780 wrote to memory of 3132 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 91 PID 4780 wrote to memory of 3132 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 91 PID 4780 wrote to memory of 1540 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 94 PID 4780 wrote to memory of 1540 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 94 PID 4780 wrote to memory of 1540 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 94 PID 4780 wrote to memory of 2260 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 97 PID 4780 wrote to memory of 2260 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 97 PID 4780 wrote to memory of 2260 4780 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe 97 PID 4032 wrote to memory of 2908 4032 aaad.exe 98 PID 4032 wrote to memory of 2908 4032 aaad.exe 98 PID 4032 wrote to memory of 2908 4032 aaad.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"2⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"2⤵
- System Location Discovery: System Language Discovery
PID:768
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724
-
-
C:\Windows\SysWOW64\aaad.exeC:\Windows\system32\aaad.exe -i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132
-
-
C:\Windows\SysWOW64\aaad.exeC:\Windows\system32\aaad.exe -s2⤵
- Executes dropped EXE
PID:1540
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\aaad.exeC:\Windows\SysWOW64\aaad.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD56604017b97723459582278f29adf20d5
SHA16eec88c892a29bf10d20692b08561d74406e2e50
SHA256d887f632b8652be987072fc87a418edf75b9bfaf7482976815b10b0cef7f3754
SHA5124f6f9f02be6c6e244965238e0fdf191eeaafd1690b5e669b22f0064d67cb1128150b49ec691f58896d91439f81570f2467e4148147a3fbfc727148193eb526aa
-
Filesize
281KB
MD58b648c94ec827c3424a2521364186891
SHA1550bfd17903727aa4add841f27d4d9bf54377897
SHA256c86d1230cd214571b3350c6db2a5f57083b23119feadaad9db388e666bfb00cc
SHA5120564dd66eb92259f0594b83e2aa5f555751a1ee20ed39d12662c0ce13f95bc5860efa6807ac2035232a4bb46781e14c36d7acc5ea4db9fa1b893b4cec803b857
-
Filesize
156KB
MD5828ccba7ef24786cd58e94d15846a0c7
SHA11c0029ca95356f7cbc77e2a8c2954777dc22b48a
SHA25612fb77c027354c279cad3dc9ba03bfbe75c2c2756c9d45be6a57e0e2378f48dd
SHA5123adc2abddb2e1bbc7776a8abf9772cf100800d4c48bc193d5d7ceb2b8141ef0203a8868248995ee311ad0cc8c3561aa21fc98fe66ee8ddc50c5d4281299ed5cc