616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e

Analysis

max time kernel
65s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
Size

2.5MB
MD5

0e2d67a033efc098dcdafe159cbd1954
SHA1

0b962240091c3037e25db68e92768bd1119f9c66
SHA256

616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e
SHA512

f5dddf1a60096d9f59d0cff146bc11b2509329869ba7fda2604e6c492df3113a6e29703adcb3fe73ff52e1a743d6040df37c2dee9edfbc73a40b066e2929430f
SSDEEP

49152:y8Zbn98Zbn98Zbn98ZbnYn/4MnYYJ2ZhqSGLHkJEMFHUDkYOMwwnMb4PmyV:1wIDQnYOXwnS4rV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
2128	465.#.exe
2860	751.#.exe
2580	38.#.exe
2660	832.#.exe
2736	633.#.exe
1604	625.#.exe
1668	981.#.exe
1148	574.#.exe
2024	699.#.exe
2564	872.#.exe
2544	385.#.exe
2696	385.#.exe
2036	732.#.exe
1456	877.#.exe
2008	474.#.exe
2940	806.#.exe

Loads dropped DLL 31 IoCs

pid	Process
3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
2128	465.#.exe
2128	465.#.exe
2860	751.#.exe
2860	751.#.exe
2580	38.#.exe
2580	38.#.exe
2660	832.#.exe
2660	832.#.exe
2736	633.#.exe
2736	633.#.exe
1604	625.#.exe
1604	625.#.exe
1668	981.#.exe
1668	981.#.exe
1148	574.#.exe
1148	574.#.exe
2024	699.#.exe
2024	699.#.exe
2564	872.#.exe
2564	872.#.exe
2544	385.#.exe
2696	385.#.exe
2696	385.#.exe
2036	732.#.exe
2036	732.#.exe
1456	877.#.exe
1456	877.#.exe
2008	474.#.exe
2008	474.#.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	877.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	806.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	465.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	574.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	832.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	981.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	699.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	872.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	385.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	751.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	38.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	633.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	625.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	385.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	732.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	474.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\	465.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\	832.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\	625.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\	981.#.exe
File opened for modification	C:\Program Files\7-Zip\Lang\	465.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\	38.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\	751.#.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\	981.#.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\	981.#.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\	832.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\	751.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\	465.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\	981.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\	751.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\	625.#.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\	981.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\	751.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\	981.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\	981.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\	633.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\	832.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\	832.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\	699.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\	625.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\	465.#.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\	465.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\	574.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\	832.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	832.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\	872.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\	385.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\	633.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\	38.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\	832.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\	633.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\	625.#.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\	699.#.exe
File opened for modification	C:\Program Files\Internet Explorer\	699.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\	633.#.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\	625.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\	699.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\	465.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\	832.#.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\	832.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\	981.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\	981.#.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\	832.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\	38.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\	981.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\	981.#.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\	38.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\	38.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\	625.#.exe

NTFS ADS 17 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	38.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	832.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	633.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	699.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	474.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	806.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	465.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	751.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	574.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	877.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	981.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	385.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	625.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	872.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	385.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	732.#.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
2128	465.#.exe
2860	751.#.exe
2580	38.#.exe
2660	832.#.exe
2736	633.#.exe
1604	625.#.exe
1668	981.#.exe
1148	574.#.exe
2024	699.#.exe
2564	872.#.exe
2544	385.#.exe
2696	385.#.exe
2036	732.#.exe
1456	877.#.exe
2008	474.#.exe
2940	806.#.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2128	3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2128	3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2128	3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2128	3024	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2860	2128	465.#.exe	29
PID 2128 wrote to memory of 2860	2128	465.#.exe	29
PID 2128 wrote to memory of 2860	2128	465.#.exe	29
PID 2128 wrote to memory of 2860	2128	465.#.exe	29
PID 2860 wrote to memory of 2580	2860	751.#.exe	30
PID 2860 wrote to memory of 2580	2860	751.#.exe	30
PID 2860 wrote to memory of 2580	2860	751.#.exe	30
PID 2860 wrote to memory of 2580	2860	751.#.exe	30
PID 2580 wrote to memory of 2660	2580	38.#.exe	31
PID 2580 wrote to memory of 2660	2580	38.#.exe	31
PID 2580 wrote to memory of 2660	2580	38.#.exe	31
PID 2580 wrote to memory of 2660	2580	38.#.exe	31
PID 2660 wrote to memory of 2736	2660	832.#.exe	32
PID 2660 wrote to memory of 2736	2660	832.#.exe	32
PID 2660 wrote to memory of 2736	2660	832.#.exe	32
PID 2660 wrote to memory of 2736	2660	832.#.exe	32
PID 2736 wrote to memory of 1604	2736	633.#.exe	33
PID 2736 wrote to memory of 1604	2736	633.#.exe	33
PID 2736 wrote to memory of 1604	2736	633.#.exe	33
PID 2736 wrote to memory of 1604	2736	633.#.exe	33
PID 1604 wrote to memory of 1668	1604	625.#.exe	34
PID 1604 wrote to memory of 1668	1604	625.#.exe	34
PID 1604 wrote to memory of 1668	1604	625.#.exe	34
PID 1604 wrote to memory of 1668	1604	625.#.exe	34
PID 1668 wrote to memory of 1148	1668	981.#.exe	35
PID 1668 wrote to memory of 1148	1668	981.#.exe	35
PID 1668 wrote to memory of 1148	1668	981.#.exe	35
PID 1668 wrote to memory of 1148	1668	981.#.exe	35
PID 1148 wrote to memory of 2024	1148	574.#.exe	36
PID 1148 wrote to memory of 2024	1148	574.#.exe	36
PID 1148 wrote to memory of 2024	1148	574.#.exe	36
PID 1148 wrote to memory of 2024	1148	574.#.exe	36
PID 2024 wrote to memory of 2564	2024	699.#.exe	37
PID 2024 wrote to memory of 2564	2024	699.#.exe	37
PID 2024 wrote to memory of 2564	2024	699.#.exe	37
PID 2024 wrote to memory of 2564	2024	699.#.exe	37
PID 2564 wrote to memory of 2544	2564	872.#.exe	38
PID 2564 wrote to memory of 2544	2564	872.#.exe	38
PID 2564 wrote to memory of 2544	2564	872.#.exe	38
PID 2564 wrote to memory of 2544	2564	872.#.exe	38
PID 2544 wrote to memory of 2696	2544	385.#.exe	39
PID 2544 wrote to memory of 2696	2544	385.#.exe	39
PID 2544 wrote to memory of 2696	2544	385.#.exe	39
PID 2544 wrote to memory of 2696	2544	385.#.exe	39
PID 2696 wrote to memory of 2036	2696	385.#.exe	41
PID 2696 wrote to memory of 2036	2696	385.#.exe	41
PID 2696 wrote to memory of 2036	2696	385.#.exe	41
PID 2696 wrote to memory of 2036	2696	385.#.exe	41
PID 2036 wrote to memory of 1456	2036	732.#.exe	43
PID 2036 wrote to memory of 1456	2036	732.#.exe	43
PID 2036 wrote to memory of 1456	2036	732.#.exe	43
PID 2036 wrote to memory of 1456	2036	732.#.exe	43
PID 1456 wrote to memory of 2008	1456	877.#.exe	44
PID 1456 wrote to memory of 2008	1456	877.#.exe	44
PID 1456 wrote to memory of 2008	1456	877.#.exe	44
PID 1456 wrote to memory of 2008	1456	877.#.exe	44
PID 2008 wrote to memory of 2940	2008	474.#.exe	45
PID 2008 wrote to memory of 2940	2008	474.#.exe	45
PID 2008 wrote to memory of 2940	2008	474.#.exe	45
PID 2008 wrote to memory of 2940	2008	474.#.exe	45

C:\Users\Admin\AppData\Local\Temp\0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\465.#.exe
  C:\Users\Admin\AppData\Local\Temp\465.#.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\751.#.exe
    C:\Users\Admin\AppData\Local\Temp\751.#.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\38.#.exe
      C:\Users\Admin\AppData\Local\Temp\38.#.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\832.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\832.#.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\633.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\633.#.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\625.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\625.#.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\981.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\981.#.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\574.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\574.#.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\699.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\699.#.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\872.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\872.#.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\385.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\385.#.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\385.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\385.#.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\732.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\732.#.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\877.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\877.#.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\474.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\474.#.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\806.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\806.#.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\150.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\150.#.exe
        18⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\522.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\522.#.exe
        19⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\606.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\606.#.exe
        20⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\616.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\616.#.exe
        21⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\277.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\277.#.exe
        22⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\991.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\991.#.exe
        23⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\248.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\248.#.exe
        24⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\266.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\266.#.exe
        25⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\172.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\172.#.exe
        26⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\381.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\381.#.exe
        27⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\884.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\884.#.exe
        28⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\535.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\535.#.exe
        29⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\664.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\664.#.exe
        30⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\813.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\813.#.exe
        31⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\579.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\579.#.exe
        32⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\727.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\727.#.exe
        33⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\506.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\506.#.exe
        34⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\645.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\645.#.exe
        35⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\596.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\596.#.exe
        36⤵
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe$

Filesize
2.5MB

MD5
d27f8c82a4d0a4baa70a09f542950e6c

SHA1
476ecf947f1942df2ae1593a227b25cac5b69417

SHA256
2c5fcbbca8114dc56bbb68e7d021e6d8597fc4ae978e7f59e31eca915335216c

SHA512
434ec36cf9b34c1e8373e25d86e7fec9df575efa9fa9da5bbe77703d068c5995dfa8a3824ec4f20b5c5e8e17cb2e8a3391990439cd67b080ccc93c83fcbbd680

Download Submit
\Users\Admin\AppData\Local\Temp\465.#.exe

Filesize
2.5MB

MD5
0e2d67a033efc098dcdafe159cbd1954

SHA1
0b962240091c3037e25db68e92768bd1119f9c66

SHA256
616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e

SHA512
f5dddf1a60096d9f59d0cff146bc11b2509329869ba7fda2604e6c492df3113a6e29703adcb3fe73ff52e1a743d6040df37c2dee9edfbc73a40b066e2929430f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads