363b14fb3589a66906cd84b837a5379d711bf02500ffc7448862ffeae5433ba8

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
Size

540KB
MD5

8accaad48b5d0717faaadea3a807130e
SHA1

305406c9c27790babd9c6af28aaaa56fc97c8484
SHA256

363b14fb3589a66906cd84b837a5379d711bf02500ffc7448862ffeae5433ba8
SHA512

d7faa94d3bb2dfba9fa5d8f649e88af8086bb7d544897ac05d1e5f5bb63b93a6c6902094d2c429b8a296ad57a26a56ab2c0b8ade46376f53b8d6b80a35a336d8
SSDEEP

12288:m09PO3yf8V4K4QkyYGEZjL9tQ9FZXQo/1iwPEH/JANmdoj:m4O3m834ukP9tQ9FZXQS19SxPg

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
2908	aaad.exe
3052	aaad.exe
2644	aaad.exe

Loads dropped DLL 49 IoCs

pid	Process
2848	regsvr32.exe
2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
2908	aaad.exe
2908	aaad.exe
2908	aaad.exe
2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
3052	aaad.exe
3052	aaad.exe
3052	aaad.exe
2644	aaad.exe
1312	rundll32.exe
1480	rundll32.exe
1312	rundll32.exe
1480	rundll32.exe
1312	rundll32.exe
1480	rundll32.exe
1312	rundll32.exe
1480	rundll32.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe
2644	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aaad.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\-123-3792120	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File created	C:\Windows\SysWOW64\238a	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4acu.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\686d.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\64au.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\864d.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\733a.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\64a.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\d06d.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\686d.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File created	C:\Windows\Tasks\ms.job	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\aa0d.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\0d06.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\864.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\686.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "IMsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer\ = "BHO.MsnPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "IMsnPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID\ = "BHO.MsnPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID\ = "BHO.MsnPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2644	aaad.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2788	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	30
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2804	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	31
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2808	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	32
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2816	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	33
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2848	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	34
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 2908	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	35
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 3052	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	37
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2100 wrote to memory of 1312	2100	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	41
PID 2644 wrote to memory of 1480	2644	aaad.exe	40
PID 2644 wrote to memory of 1480	2644	aaad.exe	40
PID 2644 wrote to memory of 1480	2644	aaad.exe	40
PID 2644 wrote to memory of 1480	2644	aaad.exe	40
PID 2644 wrote to memory of 1480	2644	aaad.exe	40
PID 2644 wrote to memory of 1480	2644	aaad.exe	40
PID 2644 wrote to memory of 1480	2644	aaad.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2848
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32/aaad.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32/aaad.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1312

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
176KB

MD5
e9c98176a3dbfa3f6c26caabc0790a8a

SHA1
5295acd1c70c5341aefa87f27513379ba27db4c7

SHA256
900c39116cde908be327d9923dfd7b7fac1be7514d299a6b74cf3e07a0dfa387

SHA512
a83e10ce3eca347761c75ab5e52e93d76512d6ab2b74d876e10d24ca003bfedd6bc86efb692a39a8ff09e34cb17516835689d4e0800b835aca00e961509f8839

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
412KB

MD5
decfae384f13dc8352810093a0a87d62

SHA1
e83f99c19f948ffa3cfceef90fef37b8ee9497e9

SHA256
172da4b756d09221ab0d6d12b434ee4c12ccf2274f147a8ed2ea5b15ecb79c1e

SHA512
fe2d89a9f286be8e9726c7f58851da1c6da8a10296c449e0dac31be648531031292df2b839e4e3468309b53b5ac294108bc37095ecaab26d19599a1777aad16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
148KB

MD5
d76abffc28be4e811170d7bbd10c4989

SHA1
e28e25a1b882904dd0ecd2a2daeddf77259aa573

SHA256
8771c0a7f341d07b82299ddf950fa6f6dec478da5544968189829774d2cbf95e

SHA512
bd0b822fe18cd2a34f2be0b1c283efea0a96cb5291c7db8f7d28404f14a6cb8ed79dd39eff0456f2e2e4859f69348aae877934ae899e4c9b3adc4b803f55f6dd

Download Submit