ca3fc82f9e68de0c08bb1195161f20e0b7ffe7177563f072d93ec40c88c96e2a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Size

40KB
MD5

0b3a99041c6f87cd214aaca8fc9ced36
SHA1

540e931f8bbcba2a8d37c6b74b4a690d43f117d5
SHA256

ca3fc82f9e68de0c08bb1195161f20e0b7ffe7177563f072d93ec40c88c96e2a
SHA512

097684023fa16557c9005eeccd9ae74101081d72a1b9df8b84aaa8a9e0159f7413240c31ee4fa32717c2cadf597cdfc7937624d48d257e10653b5f09550c064c
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHgqUE:aqk/Zdic/qjh8w19JDH9UE

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000900000001447e-10.dat	upx
behavioral1/memory/2328-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-848-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1316-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1320-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1321-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1325-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1329-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1344-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2328-1347-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
File created	C:\Windows\java.exe	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
File created	C:\Windows\services.exe	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2328	836	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe	28
PID 836 wrote to memory of 2328	836	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe	28
PID 836 wrote to memory of 2328	836	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe	28
PID 836 wrote to memory of 2328	836	0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3a99041c6f87cd214aaca8fc9ced36_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
634496af0a3b726c4d026a1c4b430d23

SHA1
1e2a844efb9faaf333622d0b85a3bb7286d5b29c

SHA256
754d3739bf4e78f75f2d3dd26f709abb5ccf73812c4f136fa8bd73e34761ea4b

SHA512
ea28080cca91bd7de420c0609fad29165fef27a622c5f30f0cb1a31da5d92410ec9c363c3cc1fb9e96fc3bce563a3cf7e2fd3134dcc24c19adbdb686c65d1ec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79dd09d8f17d3212e39c0500aed991ea

SHA1
0356ba91c114ba4806c12e8fb876a70ff10fd45c

SHA256
47a319488037dc85b0875ffb2caf5e32a2fc8bd1b7b697c07570c76a82ce07ba

SHA512
b424c861f80c200d1b718cfd952cf896bcb4c0bce91fbd358e8bc3f8c7b459df86f0049d114c48d42eaf867c62261c9d7597a9d52a0874e89189181335fad255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7395f8577bc96bcd949af23946c12095

SHA1
f6a6b5b71c269b2a275e15aabf788d0726ce858d

SHA256
edc9197345b4a73972fbeb370fdfa63bde14b510fd07d379a4d7bd882994df3e

SHA512
90c34bdc1952f567b5bd50ebea0022b1f219922b844454ea13e800678d12b4e25d3b7d67301772734d045745bbe71a92dc63da69d907b76a773627c400ea84f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0df822b05b5e48b2abdea5456082888b

SHA1
67c1248d5e1677facba00d1cf0d2c1562b47cd6d

SHA256
a2d462786e2698afbd034e19cdd8aa7a21951a2d1aeff42fad2a75ea1d5573f9

SHA512
147d35096455453af286fac4b3f7876590e67841dc1ad82d0ded7158ead3e8b3bcba8607ec467a73d937b79c88c950f6c7916ccbc3be5d4edfb2599ca7230a8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a93e50092ae79857bc26c641fa25c3df

SHA1
5ff033499ec9b94127c77d2a5004418a8cb086e0

SHA256
4f67a1b6ed3f26248911b961b7360cf000ec381ffd7061c44fd88e069d164ab6

SHA512
862b5f70d8ae3b7e41f2db31353277ccef8f441fb5ead876e939b6cd632e530ab96031c192016711a3eaad08fc1103a313d69281f8842830f201a0ead8fa6cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6ff89051a19fbc8f615d935d2840ee2

SHA1
773b1422962e56c6289f192fa7e16da18ebedb42

SHA256
b5e45e6ac6829a96cdcb3689317426729f7a5d9a9ffaebc7471db845c26f8b91

SHA512
a5a37cfb4b3f2a1b1b6e6b603cc8f77069976964b3dd3414bd11d008bc143d6bcfe84d0ac39ddbc3e054b4778f954d1c2ac81cc197758f31a4d9cb3566b245f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac3e789d1f8de3de19b425bbe5adfa1d

SHA1
de9e15c51106a2a67d182743e01bb71e3a06c661

SHA256
aff1a09e48fc3cb50df08fb62de9ab6c1079144a06e5f705e9067537cfe1dd75

SHA512
0fcb5fed38dbb3e0ea1de76c29fff7d7eeb747341753387556f7914cc20e5ab18aa4c75a2273669f0a0cd5b800b4a6001c3fe46e117e0fb1f13ae24d9ddc5720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aadcc82d3042730621c40c42a6249cc2

SHA1
18af67c9dac49146e8a647df6bccca762a165427

SHA256
df0aa61bdc140d13ee48889cac411538b6181d1b11639a46a52f761a85c184ed

SHA512
359f7cc61ba5dc0e73e4d004a439db4f4d7f08743a64dfdb60f197856a4c2fa8a8a2562a01ac43b533e29c2e54f46cd5264567f9e3ee8160e02d5d911e1f5869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
189967d4185a4e2a818b6514255ba64d

SHA1
c1259616b0ad673232c8068c3f1ac7d1d2ad9d03

SHA256
813f75c8dc3d19e01b10078bb742faee4f3b4ee1997fca7ed02755ed6796aead

SHA512
2ad0cecb1767ade5ff9ed8a59616278f1d901dd8e25a9780b8f3ac5e072d7ea1bf9e35864aa72ae5891d93e0406838d0287087d8c8c9998f5fcca4f6cffedd5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
642e3d1661cc2590288d74e52e80218c

SHA1
702aa37716f759b967ace81db317ad694ab691db

SHA256
0ca314486bed8d9969fb5bc47f6fcafbb0feac99383f37211aede032c4ba7dfe

SHA512
f44f26bc908436fb39ad4f89c242ff050eb315ae21ae4d387859ba564dc9e4026d883d306a0fdfe84f77ce8203097416cd243b1b19ef3587a271f071af7c8566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81632bb7509531e2f0436fa24c0a7feb

SHA1
5a7ef36004a98c8697b63e32ad8da41a846b33a0

SHA256
abcc1cca0673b606b1dbb5f45ee8d7f428293a2a599261f0100042a23c3bcb5b

SHA512
e259efe529924ab426f413e439d295e68344e291f2f2bcd2f66c75a9d4ac7fc59e60008e026f7f00361ebb263aea4e1013d09801796b8483ded66fd1ca91880e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8bb655094f2e0153961e73a73af19c9

SHA1
f9faa0cf6bd9a4b28231cc5a7e6acbfde6431474

SHA256
a5981ebb24161315d0a0fc9f4c9198302980035870431cc9ab413a56320789fd

SHA512
7b54b4ecc42bea292d8472695b8c4a501db9951b3f698f0c91037aa56e74eedb21e125b0755fe18200ba54923e0a8a62a8454fb75ffbc40f1e0692e414b268fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1636fc11a82610f76384520eef95b62

SHA1
daa63c82fb9566d850c028e613010e4be651902c

SHA256
bef4950937c1acfc29d81f5ccf0f82d8298d42f94f46ccfd403c2f40b29a4a09

SHA512
269414d25ad8b5638c89453ba38984b2d39260c49fe5646f33db7e722f062979077ad61f8b1226ee271d377a171d75c9325f206b2407edbc8f2691b1c0f9a63f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f2e31fd28f8cc731252a46afb77ffa17

SHA1
6d99b30da10475ba712e7a113a9d4c7c15250175

SHA256
6ee565d466b5459c2cfee2bae1843c481a924794cce523f37caee532c1f14677

SHA512
696cf78ee217041269e569cd1d8fd61c75a212cc307bbd1ad160a56c52ee48e04e0369c4b790764a89a5e5c57e0b577e0d5f60aaa046cdb3e2c89e2b5b3047da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PG2YON4\LW3BN6T6.htm

Filesize
175KB

MD5
4c6cf66a997f1619bb144c69cb4c4e02

SHA1
7efdb56bafe5b32e27c6941ea4f92317cbe78c87

SHA256
9194bcccffc5cf26918ae70319f9b959841a9cedc6e71ecb755b148985d09593

SHA512
45b5893c0072d5c916eb5c8a8abc2f7308fd31da60205a9c2869fea95640b23f041b6011e6eaadeaddf470df532ffaa1553699c5ce5037ef4e650c025608f622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8NS7DIBH\search[2].htm

Filesize
146KB

MD5
a1c3c040381bd0490d7611ef3641216f

SHA1
dfb846a1a18506d894213fbb581254528845347c

SHA256
83e57680c0cf202039a7cb886162225acd762a4486a45b7cf48193143c1ba1fb

SHA512
5e3384f8b804619986341fbfe07f586e70c92cfb5752b4f64ce12c044f527b19a4cffc79fc496a5e35b0fdbb1a4c19162f9b482eb3b0aa7fe9de5ab49e176e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKBI3XWP\E2RCLBER.htm

Filesize
175KB

MD5
5aa2468194780f7d3b07a83b9f60cc9a

SHA1
d73d21450ea2d16b40a87399d77726d185fc7d05

SHA256
e553312ef9897fd86b133c5d4758f9a89039f5d2fe49bc40ceca8f8f2665021b

SHA512
c98551471688e02ee382c70c6fae2151f884f9e993ef271dddcdc4c74fcdd61178984889609b63dff2f7eb9fd117dad664573b6029b74e7d0917f7f21e97eca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKBI3XWP\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RZZ2MCT8\search[1].htm

Filesize
115KB

MD5
8ef9ea69e2eb8414686b9e851afddb80

SHA1
4fcaca67ff78fd2f70d5fba0a9726662bab5aba3

SHA256
7e9555b62c837b4b12d43862beb22362bdb73a0bbbae5c6af247d308b54d4fd7

SHA512
a47956082f904421de82ca4f81822d3da5dfb600d2624fdd6b100b9c05130fd32d56bdf77a6c921183ce7ddb701726e63340a147d6090869bd5bdac2a4b4c7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB3C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF385.tmp

Filesize
40KB

MD5
c425be785690ef7e56a07652864ca0d2

SHA1
821b76b668d680a59ab713078a6dbf85043622e7

SHA256
28a91001db2d5858548f39594076f79b647c2e9237603bf8c8fc5c577cb0d1ff

SHA512
ded8bbdfa127b82a34c83f86c0d3621ecf9430da6b1d560921495f3497c7ecf4ca64dbd09259c12fd38e7172ff078f2a52b5543e7172559073cfcb9b413f8f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
703ed70c0e47de85550b93b628e68e74

SHA1
59443d8da676adf2a39b806c63358376c902ec93

SHA256
e5168cc06475064ad905fb5e6df3fb322d401c3297fda1c91895be4cfbc6424c

SHA512
a45b403a3b1579bee6433a7e6bce6092e9f2e2506e9a258036c770113cf337bb015e7297372ab52678d1fa67f7d5de46b9860ea0d3090209aee420253c7838b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6b728e3f798176d1be7c4e22d0bdd87d

SHA1
866bbc804f6c49fc53678b67e1b72c5cd055f97d

SHA256
647fa6e3c755d871e880d044e50866cd7e16fa17d7b9ef56a32cf3665d364a0f

SHA512
1a699c747f260ba75dd67dae54d075ec255eecbb2960206fd3b9307073075d21c94e3f8ca040b9d48e8b3e82c3de062754b521fd6800d473b52f53defb7b519f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/836-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/836-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/836-22-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/836-8-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/836-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2328-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1316-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-848-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1320-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1321-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1325-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1329-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1344-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-1347-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads