Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 15:23

General

  • Target

    JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

  • Size

    540KB

  • MD5

    8accaad48b5d0717faaadea3a807130e

  • SHA1

    305406c9c27790babd9c6af28aaaa56fc97c8484

  • SHA256

    363b14fb3589a66906cd84b837a5379d711bf02500ffc7448862ffeae5433ba8

  • SHA512

    d7faa94d3bb2dfba9fa5d8f649e88af8086bb7d544897ac05d1e5f5bb63b93a6c6902094d2c429b8a296ad57a26a56ab2c0b8ade46376f53b8d6b80a35a336d8

  • SSDEEP

    12288:m09PO3yf8V4K4QkyYGEZjL9tQ9FZXQo/1iwPEH/JANmdoj:m4O3m834ukP9tQ9FZXQS19SxPg

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 33 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5488
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2720
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:436
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5036
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/8ado.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1616
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/8ado.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:5588
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32/aaad.exe -i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5336
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32/aaad.exe -s
      2⤵
      • Executes dropped EXE
      PID:3664
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll, Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2404
  • C:\Windows\SysWOW64\aaad.exe
    C:\Windows\SysWOW64\aaad.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5536
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll,Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

    Filesize

    108KB

    MD5

    d7d3663e5b623abc5a36b7dda22f68b5

    SHA1

    57dcdf97f7c54c825847f9cb72033aa0dde8abd3

    SHA256

    edbb3300ccbf3a37fe2e85bd32aebf53563c5830f882f530b05d73fb0aeefcdc

    SHA512

    6ce4298415e114b585a0e7ca3ebbacaae5361f837f6286c84e144006130b780b2e1cbb039cb6476c4e2c6cb4b3eca17fdd86148b62d79498898510e1f0bf45b2

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

    Filesize

    376KB

    MD5

    3e3ec7f05ca2609d66b9b0fdf8701ef0

    SHA1

    0b9da4815e49f142b144e48a7fe6943d831b2a2f

    SHA256

    470a3b63e47d1206acf5740d2f51311b957af8b7aa083869abac9957b5bda01f

    SHA512

    0d923a6ea6a7565e87278cb1834346353862fe7e332320fdaaad63761090b222cf8da1cb5e566897ccae378a883bcc29ea1eba6ba13a04f15f5b6a3ad22a6f17

  • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

    Filesize

    188KB

    MD5

    7a4f6148d3ca4636cdcde45d5fd21305

    SHA1

    57baeb31ed3af0fad2e690cd33f6263ea69642cc

    SHA256

    622a3d31648ca60b6cde8a275ac1968756b80eeaacfcb4b4edd567b3a80e56da

    SHA512

    2e27f8abd4bee13302fd84a1e7daf1adf846421ae098e0fcb0ecfa0ad6b72f25f4cf310803f506bf28866965aeed5cf8af2a3d2cfacc944b36baa7ba9086880b