363b14fb3589a66906cd84b837a5379d711bf02500ffc7448862ffeae5433ba8

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
Size

540KB
MD5

8accaad48b5d0717faaadea3a807130e
SHA1

305406c9c27790babd9c6af28aaaa56fc97c8484
SHA256

363b14fb3589a66906cd84b837a5379d711bf02500ffc7448862ffeae5433ba8
SHA512

d7faa94d3bb2dfba9fa5d8f649e88af8086bb7d544897ac05d1e5f5bb63b93a6c6902094d2c429b8a296ad57a26a56ab2c0b8ade46376f53b8d6b80a35a336d8
SSDEEP

12288:m09PO3yf8V4K4QkyYGEZjL9tQ9FZXQo/1iwPEH/JANmdoj:m4O3m834ukP9tQ9FZXQS19SxPg

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
5336	aaad.exe
3664	aaad.exe
5536	aaad.exe

Loads dropped DLL 33 IoCs

pid	Process
5588	regsvr32.exe
5536	aaad.exe
2404	rundll32.exe
5432	rundll32.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe
5536	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File created	C:\Windows\SysWOW64\03a	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File created	C:\Windows\SysWOW64\-99-24595	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4acu.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\686d.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\d06d.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\64au.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\864d.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\686d.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File created	C:\Windows\Tasks\ms.job	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\aa0d.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\0d06.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\733a.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\64a.bmp	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\864.exe	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
File opened for modification	C:\Windows\686.flv	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID\ = "{B1108084-AA13-4723-ABAF-09D533AA6AAE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID\ = "BHO.MsnPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer\ = "BHO.MsnPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "IMsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\VersionIndependentProgID\ = "BHO.MsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\TypeLib\ = "{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1108084-AA13-4723-ABAF-09D533AA6AAE}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D94D57B6-EA37-46A9-BBC4-8A2872E1D5CE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C350FF9E-710B-4895-981C-9151A0C9244E}\ = "IMsnPlayer"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5536	aaad.exe
5536	aaad.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5488 wrote to memory of 2720	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	86
PID 5488 wrote to memory of 2720	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	86
PID 5488 wrote to memory of 2720	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	86
PID 5488 wrote to memory of 436	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	87
PID 5488 wrote to memory of 436	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	87
PID 5488 wrote to memory of 436	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	87
PID 5488 wrote to memory of 5036	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	88
PID 5488 wrote to memory of 5036	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	88
PID 5488 wrote to memory of 5036	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	88
PID 5488 wrote to memory of 1616	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	89
PID 5488 wrote to memory of 1616	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	89
PID 5488 wrote to memory of 1616	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	89
PID 5488 wrote to memory of 5588	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	91
PID 5488 wrote to memory of 5588	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	91
PID 5488 wrote to memory of 5588	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	91
PID 5488 wrote to memory of 5336	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	93
PID 5488 wrote to memory of 5336	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	93
PID 5488 wrote to memory of 5336	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	93
PID 5488 wrote to memory of 3664	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	96
PID 5488 wrote to memory of 3664	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	96
PID 5488 wrote to memory of 3664	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	96
PID 5488 wrote to memory of 2404	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	99
PID 5488 wrote to memory of 2404	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	99
PID 5488 wrote to memory of 2404	5488	JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe	99
PID 5536 wrote to memory of 5432	5536	aaad.exe	100
PID 5536 wrote to memory of 5432	5536	aaad.exe	100
PID 5536 wrote to memory of 5432	5536	aaad.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8accaad48b5d0717faaadea3a807130e.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5488
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5588
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32/aaad.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5336
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32/aaad.exe -s
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2404

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5536
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
108KB

MD5
d7d3663e5b623abc5a36b7dda22f68b5

SHA1
57dcdf97f7c54c825847f9cb72033aa0dde8abd3

SHA256
edbb3300ccbf3a37fe2e85bd32aebf53563c5830f882f530b05d73fb0aeefcdc

SHA512
6ce4298415e114b585a0e7ca3ebbacaae5361f837f6286c84e144006130b780b2e1cbb039cb6476c4e2c6cb4b3eca17fdd86148b62d79498898510e1f0bf45b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
376KB

MD5
3e3ec7f05ca2609d66b9b0fdf8701ef0

SHA1
0b9da4815e49f142b144e48a7fe6943d831b2a2f

SHA256
470a3b63e47d1206acf5740d2f51311b957af8b7aa083869abac9957b5bda01f

SHA512
0d923a6ea6a7565e87278cb1834346353862fe7e332320fdaaad63761090b222cf8da1cb5e566897ccae378a883bcc29ea1eba6ba13a04f15f5b6a3ad22a6f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
188KB

MD5
7a4f6148d3ca4636cdcde45d5fd21305

SHA1
57baeb31ed3af0fad2e690cd33f6263ea69642cc

SHA256
622a3d31648ca60b6cde8a275ac1968756b80eeaacfcb4b4edd567b3a80e56da

SHA512
2e27f8abd4bee13302fd84a1e7daf1adf846421ae098e0fcb0ecfa0ad6b72f25f4cf310803f506bf28866965aeed5cf8af2a3d2cfacc944b36baa7ba9086880b

Download Submit