njrat | 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2

General

Target

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
Size

3.0MB
MD5

8a060daac1e73524a227875e5da6eb3d
SHA1

9cd8730422dc2553e028828feb370341da702061
SHA256

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2
SHA512

9fee328d96c2c2df6bd9a37c835dd7272215f0952479d56f09d0371375bc758388c96a598319e6e11a3673e270738794177ef0ca9b8b817274b3d5d65eab0d87

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

lightcf.ddns.net:1177

Mutex

f20acdfb6b0a6c02ffcee135dec9d57c

Attributes

reg_key
f20acdfb6b0a6c02ffcee135dec9d57c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Server.exejf_crazycf_1_4.exe

pid process

1492 Server.exe
1144 jf_crazycf_1_4.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1492	Server.exe
1144	jf_crazycf_1_4.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jf_crazycf_1_4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jf_crazycf_1_4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jf_crazycf_1_4.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

jf_crazycf_1_4.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Wine jf_crazycf_1_4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Wine	jf_crazycf_1_4.exe

Loads dropped DLL 2 IoCs

Processes:

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe

pid	process
1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

jf_crazycf_1_4.exe

pid process

1144 jf_crazycf_1_4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008eab7427a81c0c4fa783d262baac04be00000000020000000000106600000001000020000000c5eb2b8d09bddf473d7549a4e608fce8681d82abb3a247dba1b519861d50c414000000000e800000000200002000000004da2d3ffa0c289754c24cd78cf8e43df32ffa68cea827a5d460d7effe522d1a9000000005108ff96ab92b9934f1192845e53bf530fe5e10c2e5b832736b78e33482f36762f8044dfd8f61e6b7727d282e07a27a8d0e5489dd41a6f724026170da8d08678342ef1e2da9b6be30966a5f0e40abb1177bb02d94ac0fe42aeeb219b635f754fd67b3012f101a7f29d6e674ed618ad6e6c61a77bd1197e7906534b9878ada451890e82a0d6101a699b11d4ab027bc6340000000e84454480f7ea527442d1b283b55c4271da4772a747eba54a821b71d4439ac09e4e00e986f19a7c6dd2aaf8af183bbaedf94e1d1676048406620d98fb3b27df8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339235748"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46AA3C01-1D0E-11EC-83FC-FEBA24881352} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0902c251bb1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008eab7427a81c0c4fa783d262baac04be0000000002000000000010660000000100002000000001b1bdd0dfdff3ab5ba877dc68a107d0d35fb3a821dc5428a75200e9142b65ca000000000e8000000002000020000000d1c461b23843ad5d324ad4f48c9b42f05ae740fdd4700abf287be5faaa0c863120000000c7658491dbe980e0e4815393cc1dc6e8f46ae9971bd5d24ca25831c758b0464a40000000aa8fc11889152594218d289875a18bb19e289b3765a56674b1949b00f10124af3234971c4a676b908ae02bcb102f5cc03c9cc9f206ffde5130abb5910e0f503d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jf_crazycf_1_4.exe

pid	process
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe
1144	jf_crazycf_1_4.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

jf_crazycf_1_4.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	1144	jf_crazycf_1_4.exe
Token: SeDebugPrivilege	1144	jf_crazycf_1_4.exe
Token: SeDebugPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe
Token: 33	1492	Server.exe
Token: SeIncBasePriorityPrivilege	1492	Server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1512 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1512 iexplore.exe
1512 iexplore.exe
784 IEXPLORE.EXE
784 IEXPLORE.EXE
784 IEXPLORE.EXE
784 IEXPLORE.EXE

pid	process
1512	iexplore.exe

pid	process
1512	iexplore.exe
1512	iexplore.exe
784	IEXPLORE.EXE
784	IEXPLORE.EXE
784	IEXPLORE.EXE
784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exejf_crazycf_1_4.exeiexplore.exeServer.exe

description	pid	process	target process
PID 1976 wrote to memory of 1492	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	Server.exe
PID 1976 wrote to memory of 1492	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	Server.exe
PID 1976 wrote to memory of 1492	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	Server.exe
PID 1976 wrote to memory of 1492	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	Server.exe
PID 1976 wrote to memory of 1144	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	jf_crazycf_1_4.exe
PID 1976 wrote to memory of 1144	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	jf_crazycf_1_4.exe
PID 1976 wrote to memory of 1144	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	jf_crazycf_1_4.exe
PID 1976 wrote to memory of 1144	1976	461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe	jf_crazycf_1_4.exe
PID 1144 wrote to memory of 1512	1144	jf_crazycf_1_4.exe	iexplore.exe
PID 1144 wrote to memory of 1512	1144	jf_crazycf_1_4.exe	iexplore.exe
PID 1144 wrote to memory of 1512	1144	jf_crazycf_1_4.exe	iexplore.exe
PID 1144 wrote to memory of 1512	1144	jf_crazycf_1_4.exe	iexplore.exe
PID 1512 wrote to memory of 784	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 784	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 784	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 784	1512	iexplore.exe	IEXPLORE.EXE
PID 1492 wrote to memory of 536	1492	Server.exe	netsh.exe
PID 1492 wrote to memory of 536	1492	Server.exe	netsh.exe
PID 1492 wrote to memory of 536	1492	Server.exe	netsh.exe
PID 1492 wrote to memory of 536	1492	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
"C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
3⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exe
C:\Users\Admin\AppData\Local\Temp/jf_crazycf_1_4.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.crazyfrost.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
befaa9afa3eafaa0d28be853e9c3c673

SHA1
d1506c61b4f22694be2c0ad78e3b990d90a7e434

SHA256
bdc9c240d082a8c550e3fa662e09e3015ac2d77f61b960a7bc1b8b67059f3d2c

SHA512
fc812270e3730640a1d53365332c51633ca601b0dbc6d22c04f80cf70979c7e04f1ef9150872e15ae73baf247235bc940f91c11a2f2223af56fdef0292977e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a0d11518eee518a2d24ba47c2b6e8770

SHA1
ab07ca56c9304ecb7fc81f7f8a366c71a0d47293

SHA256
a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c

SHA512
d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a0d11518eee518a2d24ba47c2b6e8770

SHA1
ab07ca56c9304ecb7fc81f7f8a366c71a0d47293

SHA256
a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c

SHA512
d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exe
MD5
46191543960191df082176d7ee9e1466

SHA1
3c40d877d92ee5b44f5ed1df2d383db19c929380

SHA256
7978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220

SHA512
4d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CK2ZXTF1.txt
MD5
5e4ea7e32e064edff8091f50671909bf

SHA1
3c18676f9a2f275f13398a0460356f6046bbfc52

SHA256
2a5e1b1fa567a59e50d1ce31eb89ba37bb71ea0c24f25912eea8a0530282f1f7

SHA512
6e218168e0eba094b95b2b1c53075a18d1d31d185d2d2eea73144e60d0f0f5b9d60abb40dcd528377bdb7a993293f6786b56da5e59441b9870d147db26ff91b5

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a0d11518eee518a2d24ba47c2b6e8770

SHA1
ab07ca56c9304ecb7fc81f7f8a366c71a0d47293

SHA256
a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c

SHA512
d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4

Download Submit
\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exe
MD5
46191543960191df082176d7ee9e1466

SHA1
3c40d877d92ee5b44f5ed1df2d383db19c929380

SHA256
7978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220

SHA512
4d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084

Download Submit
memory/536-93-0x0000000000000000-mapping.dmp

Download
memory/784-91-0x0000000000000000-mapping.dmp

Download
memory/1144-68-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1144-83-0x0000000006D30000-0x0000000006DB5000-memory.dmp

Filesize
532KB

Download
memory/1144-75-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/1144-73-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/1144-78-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/1144-77-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/1144-76-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/1144-71-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1144-69-0x00000000044A0000-0x00000000044A2000-memory.dmp

Filesize
8KB

Download
memory/1144-65-0x0000000000000000-mapping.dmp

Download
memory/1144-79-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/1144-96-0x0000000006E2A000-0x0000000006E3B000-memory.dmp

Filesize
68KB

Download
memory/1144-82-0x0000000006E60000-0x0000000006EE6000-memory.dmp

Filesize
536KB

Download
memory/1144-74-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/1144-85-0x0000000006E22000-0x0000000006E23000-memory.dmp

Filesize
4KB

Download
memory/1144-84-0x0000000006E21000-0x0000000006E22000-memory.dmp

Filesize
4KB

Download
memory/1144-86-0x0000000006E23000-0x0000000006E24000-memory.dmp

Filesize
4KB

Download
memory/1144-87-0x0000000006E24000-0x0000000006E26000-memory.dmp

Filesize
8KB

Download
memory/1144-88-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1144-95-0x0000000007D40000-0x0000000007D9E000-memory.dmp

Filesize
376KB

Download
memory/1144-70-0x0000000004420000-0x0000000004422000-memory.dmp

Filesize
8KB

Download
memory/1144-72-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/1492-81-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/1512-90-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1512-89-0x0000000000000000-mapping.dmp

Download
memory/1976-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads