Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 15:23

General

  • Target

    JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

  • Size

    540KB

  • MD5

    8accaad48b5d0717faaadea3a807130e

  • SHA1

    305406c9c27790babd9c6af28aaaa56fc97c8484

  • SHA256

    363b14fb3589a66906cd84b837a5379d711bf02500ffc7448862ffeae5433ba8

  • SHA512

    d7faa94d3bb2dfba9fa5d8f649e88af8086bb7d544897ac05d1e5f5bb63b93a6c6902094d2c429b8a296ad57a26a56ab2c0b8ade46376f53b8d6b80a35a336d8

  • SSDEEP

    12288:m09PO3yf8V4K4QkyYGEZjL9tQ9FZXQo/1iwPEH/JANmdoj:m4O3m834ukP9tQ9FZXQS19SxPg

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 49 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2804
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2808
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/8ado.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/8ado.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2848
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32/aaad.exe -i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2908
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32/aaad.exe -s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3052
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll, Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1312
  • C:\Windows\SysWOW64\aaad.exe
    C:\Windows\SysWOW64\aaad.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll,Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

    Filesize

    176KB

    MD5

    e9c98176a3dbfa3f6c26caabc0790a8a

    SHA1

    5295acd1c70c5341aefa87f27513379ba27db4c7

    SHA256

    900c39116cde908be327d9923dfd7b7fac1be7514d299a6b74cf3e07a0dfa387

    SHA512

    a83e10ce3eca347761c75ab5e52e93d76512d6ab2b74d876e10d24ca003bfedd6bc86efb692a39a8ff09e34cb17516835689d4e0800b835aca00e961509f8839

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

    Filesize

    412KB

    MD5

    decfae384f13dc8352810093a0a87d62

    SHA1

    e83f99c19f948ffa3cfceef90fef37b8ee9497e9

    SHA256

    172da4b756d09221ab0d6d12b434ee4c12ccf2274f147a8ed2ea5b15ecb79c1e

    SHA512

    fe2d89a9f286be8e9726c7f58851da1c6da8a10296c449e0dac31be648531031292df2b839e4e3468309b53b5ac294108bc37095ecaab26d19599a1777aad16b

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

    Filesize

    148KB

    MD5

    d76abffc28be4e811170d7bbd10c4989

    SHA1

    e28e25a1b882904dd0ecd2a2daeddf77259aa573

    SHA256

    8771c0a7f341d07b82299ddf950fa6f6dec478da5544968189829774d2cbf95e

    SHA512

    bd0b822fe18cd2a34f2be0b1c283efea0a96cb5291c7db8f7d28404f14a6cb8ed79dd39eff0456f2e2e4859f69348aae877934ae899e4c9b3adc4b803f55f6dd