c75ce9d9dc660ddc87b315dd90ee11f70a88ac78cfd82008958f102e9a8c9bc5

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a309596c9bb24df4a97b6a2fb3967bf_JaffaCakes118.dll
Size

472KB
MD5

1a309596c9bb24df4a97b6a2fb3967bf
SHA1

75677094b4b78bbe0e07b5c35f1a371d14cd1d57
SHA256

c75ce9d9dc660ddc87b315dd90ee11f70a88ac78cfd82008958f102e9a8c9bc5
SHA512

6040a5314ee5db4737f07c5ad90edd8d5713a481a5718067d4695b46b1871cddd2735f3059a567cb57de733884d10eff4872f91a6d16cabaf91f1f1be4feaf1b
SSDEEP

12288:gIx3n4BiTNvjrwy15K1Q4e0TsSk7h77wNpTYLb8:gIx3JNLrr5KbQ/7h7S4

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

36bd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts 36bd.exe
Executes dropped EXE 4 IoCs

Processes:

36bd.exe36bd.exe36bd.exemtv.exe

pid process

2536 36bd.exe
1908 36bd.exe
2456 36bd.exe
2188 mtv.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

pid	process
2536	36bd.exe
1908	36bd.exe
2456	36bd.exe
2188	mtv.exe

Loads dropped DLL 45 IoCs

Processes:

regsvr32.exerundll32.exe36bd.exerundll32.exerundll32.exe

pid	process
2692	regsvr32.exe
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2456	36bd.exe
2656	rundll32.exe
2656	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
2136	rundll32.exe
1224	rundll32.exe
1224	rundll32.exe
1224	rundll32.exe
1224	rundll32.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe
2456	36bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/36be.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe36bd.exerundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
File opened for modification \??\PhysicalDrive0 36bd.exe
File opened for modification \??\PhysicalDrive0 rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 21 IoCs

Processes:

rundll32.exerundll32.exemtv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\353r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\eee	rundll32.exe
File created	C:\Windows\SysWOW64\-7646-32-61	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	rundll32.exe
File created	C:\Windows\SysWOW64\1d13	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe

Drops file in Windows directory 13 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\436b.flv	rundll32.exe
File opened for modification	C:\Windows\480.exe	rundll32.exe
File opened for modification	C:\Windows\d48.flv	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\80a.bmp	rundll32.exe
File opened for modification	C:\Windows\0acu.bmp	rundll32.exe
File opened for modification	C:\Windows\d48d.exe	rundll32.exe
File opened for modification	C:\Windows\3cdd.flv	rundll32.exe
File opened for modification	C:\Windows\cd4d.exe	rundll32.exe
File opened for modification	C:\Windows\b5b3.bmp	rundll32.exe
File opened for modification	C:\Windows\b3cd.exe	rundll32.exe
File opened for modification	C:\Windows\cd4u.bmp	rundll32.exe
File opened for modification	C:\Windows\cd4d.flv	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

36bd.exe

pid process

2456 36bd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mtv.exe

pid process

2188 mtv.exe

pid	process
2456	36bd.exe

pid	process
2188	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exe36bd.exe

description	pid	process	target process
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2788 wrote to memory of 2656	2788	rundll32.exe	rundll32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2776	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 1804	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2572	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2492	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2692	2656	rundll32.exe	regsvr32.exe
PID 2656 wrote to memory of 2536	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 2536	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 2536	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 2536	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 1908	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 1908	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 1908	2656	rundll32.exe	36bd.exe
PID 2656 wrote to memory of 1908	2656	rundll32.exe	36bd.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2456 wrote to memory of 2136	2456	36bd.exe	rundll32.exe
PID 2656 wrote to memory of 2188	2656	rundll32.exe	mtv.exe
PID 2656 wrote to memory of 2188	2656	rundll32.exe	mtv.exe
PID 2656 wrote to memory of 2188	2656	rundll32.exe	mtv.exe
PID 2656 wrote to memory of 2188	2656	rundll32.exe	mtv.exe
PID 2656 wrote to memory of 1224	2656	rundll32.exe	rundll32.exe
PID 2656 wrote to memory of 1224	2656	rundll32.exe	rundll32.exe
PID 2656 wrote to memory of 1224	2656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a309596c9bb24df4a97b6a2fb3967bf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a309596c9bb24df4a97b6a2fb3967bf_JaffaCakes118.dll,#1
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
3⤵
PID:2776

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
3⤵
PID:1804

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
3⤵
PID:2572

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
3⤵
PID:2492

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2692

C:\Windows\SysWOW64\36bd.exe
C:\Windows\system32/36bd.exe -i
3⤵
- Executes dropped EXE
PID:2536

C:\Windows\SysWOW64\36bd.exe
C:\Windows\system32/36bd.exe -s
3⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
3⤵
- Loads dropped DLL
PID:1224

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ag4fnjr\tmp.exe
Filesize
156KB

MD5
a5c9d954647b0306b686b1f241ce7619

SHA1
fe149852402f128823acc411c1a65d8ddf787674

SHA256
7778260358b57a87ec1541e7527701889c08eab5aaf411b506acd541a172e800

SHA512
a9e3a713acc653685af52733e59521b5a4fb37c2b8497dac4188d5aabe23123d303090f7ca6787b3d4084657f92e7f2da74c243c322ee99a52d3155dbffa6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
Filesize
176KB

MD5
c9569d3756601e637cce7852d4873006

SHA1
baecac7d48157538118a8608b4cfe9d0a1fcc4e7

SHA256
dfa413d59c563a94903a308119add26fb00e3751fe592c323793362c65f81f9f

SHA512
d12b2721cc09f1eb7ac193d6290173a3b7cd6f5f7ecc1a3c4a205d6f51b17ebcb95547a44086132f6269193a5c18b8280652210d24c36ca845b852f592e4c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
Filesize
108KB

MD5
84d4e11b072600b1dc14aaf68e51efe6

SHA1
bc54e97adff79694071825ceb275ad5a98cf9966

SHA256
2f2ae9a0840bdd05f9dbe4c021e3d3fecfc8d560b34183649b7c7519b6fd66e9

SHA512
64283c8a0274ff365fe7468a46b4bf6d2410dafb3df2b6a8152ad5cd9c47b6297eb7a7bf2869c45c012786667c07e625ac188e2d55bbbc4379e5d89bb7594a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
Filesize
474KB

MD5
f387fc37289f94bedfa43e4444d1d99c

SHA1
79fd30b9fea45be97574a79708ae0da044871cb9

SHA256
11b87fcda6ee4b538e227a279ce6b949e832f94adfddd3d3ed82de89a9dcb9be

SHA512
697cdc0c4fb4c3eed8e49f069f3f963310b9dd885b93f0cee91b20a3b92bdcaee1e325dab15c869e56ad3843b482fd6b3d4016f0da1dc126bd4e0ca95ec84e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
Filesize
224KB

MD5
2eab425cb5ff88d8dd775ca62de0cd15

SHA1
38b05f079c8e97ff7f3e0f291d003fa5c725dddb

SHA256
3a30b7d147c3c26edc3da90029e280d6d651d38648d7a9a4dd774faba78b4a4b

SHA512
bcde3169a125e8667ccba03f7e5a56ede5e7f6ff306c1682498d4fcf32c5bea41ca2319223632b972395ac6acb694392f2c2ad03fff6653d83d1154d145950c4

Download Submit