97eb42e846b0dec2a562667e6394c21cdc9182929bfae2b47c7b3980fd9c3fca

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Size

40KB
MD5

0f605728f006d004e4f0cc25fc4eed6b
SHA1

3bb00932e6f117336fcf6a1a057791c277c30c5a
SHA256

97eb42e846b0dec2a562667e6394c21cdc9182929bfae2b47c7b3980fd9c3fca
SHA512

abeb87a8de29f78cac51f523ec5d9859453e9e1e71ce8bc8ce5de60c1858671b9b2cb0857daf88a518221ad4a70bc095b0a1ac929898046532f4ddbf1765d537
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHf:aqk/Zdic/qjh8w19JDHf

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2992-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0031000000015b13-7.dat	upx
behavioral1/memory/2812-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-568-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
File created	C:\Windows\java.exe	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2812	2992	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2812	2992	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2812	2992	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2812	2992	0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f605728f006d004e4f0cc25fc4eed6b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39eff33805df186bd8b95efbb9fd25d8

SHA1
8e17a9c1a32f41101308f2bbf9fce2f164d68955

SHA256
f856500eba64906c0f667cfea2f8c5f346c45b0d56e507f11b8e26ca29d8d5d9

SHA512
378ed785eb212db598e1fc714cfc13abb8962e773290911217e2c591846a36b6594a8bc292069cc18362f10fb4be4d5b61e5fa6f4aac62dbb5e76707fd03af72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
237da26be15b2409f7c10f82326b8e93

SHA1
39132440a9cebe7e4ab43bd5d92d34ea23eab6c1

SHA256
b61873dfe743c48f9cabd1b13a2218c76696f442671707980a71c1f831832fce

SHA512
238ae13396f7e4b96283b0e260cfafc07176edb15d802a3c0f2dd6199a9820a24970e5126e39f3202f330c9030fdd38354c566cb30db384d82853adece2cd2e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8afc848a1d874b16513c2a20f7fd19ae

SHA1
866973b751af34a17a4beb745d9de534a6f1c840

SHA256
4f667de323906ccb9619807f2e2a3f95caabbbe11d7eaf4e0525814e3cd2bfa5

SHA512
6118935d21d56d1d24b75ed5c7b358617627013d6e0e2b1c403ca9fb4282820d57b930de7205b41c2018ad101c1cf91427f8d43a6067dcc4fff24254d8687d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d5f35eb6bdb1ef5060a73dbf7a42f43

SHA1
91d19301f6a8924ee52024367eb589b8f0280639

SHA256
1fb73b03a4aea411ee8742d57d92804abac2a7033c71d583dce66a15a7862f60

SHA512
e1fae3be9835df9667530bf74a130ddc6f3b669100f2125b4355482d807a86fb1544382f09bb0bcb2e2654ec3d75c77f512be04f4f756c3199f0609e580828ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b10e792e073b359ba952013761fd526

SHA1
57fb50467e09afbea6a7861cb8845be6c1dbf2ca

SHA256
a8ee12728de281e9064608d7f98d4ac91aecb88d4629bb62195d9b3b1e60682f

SHA512
9557a8bb6e54465c1dc931b25277ef3490e1d1934bad1f6e159471628d49a25737d2cd48b6bb2e5acd86313ec798e5afe535d5461d34b0405bbd835eb233d6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b050ba579062810fa06e007f220b714e

SHA1
87f18c8d4817cb3841e1dc3f1bfd33dd044e7ae5

SHA256
ca7cd17e71da0c7e35bd3313c0fb8004ff33f4ca2510175ea9f746ea323c335f

SHA512
767ab961578d97d816076218d8fc8d93f73da5f8e319a6abd8d02e5ff74fabac2e700892875cd6e9f8cc8d13d706a96c61610eeeebe6af0721c6932fc8a81ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa107ccb8f2491214a1cb4baa0ac517c

SHA1
5e9473aade26cdcbce1f3aa9221874e83b44c131

SHA256
11fa3fe562cd887b9330a4a62d85ce55ab34d84cfc041cb2447f6b2c4d8c5238

SHA512
8fe1d38f58e36b95dd5dc7bf8bbecec22a07b482edb17c5b4667237d401aac14591590723aa2d24a1a1dc52a51a4dffe87ecda218f153d64587a2ff115dae612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3962e6305cfa313e323b24b44f411e8d

SHA1
39b7e96cffb8bb76096465f701603272868b8887

SHA256
b0ece47c591bca624874778b117c37b01765514f4b7b168c9217cea2cdf3f458

SHA512
8daec0e072924e18f707c0d2bd6383f56e87fcd74a31dd4bb656c1824fe1030da3d518cd57e49112f2ff4f7436c1eab67f50c9a7520ae0acc33716e5a1bf0dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bde2711518519f023277eefe18e7dcb

SHA1
a46f17e47184c5bd0549ca2ddb9d8f7334e0e2c2

SHA256
d78f4a37dc0b6f3d7cc4063e26c6bd8b919a80a4edc01e794dfb114a7edbc049

SHA512
ac43a216d318c8c09b4d9b56e551f796bc9db086baa144f8c1c7e3ef7cd98dae5e8543bbfd8d08ac7ac9368ddcae21fec026f5b3a0d61797b5a37911689e41b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e1c06bd3a2af1703e0f689f5fad6330

SHA1
cab6e967f9ebf75feb7e8093d2b12bcdf17e8a9a

SHA256
c700514dd8cb6a95f316b373ea8ca2a8e3c305365f982d89c2f65444eb228b3a

SHA512
d530dc9c2f512701717d02679deac2db3d6980d2ec8cdd337836126926f8bd9ab14c2c665325beffb632dd0aa58ddff7a395ed16b1058935b78338e47edf1671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8658f439f8947f033aa2734a3b67f5e7

SHA1
ed7ea3e7bdde33d144dcd24d56b55481d5a2add0

SHA256
900f0ef37a8fd4400a7546db851bb5fd822dc75e6fe9668b54d17beeb5111329

SHA512
9b0615bf6218cf6cc5cbdab306289514777d7b8712b97c41dcb4d72946b66033c2eef815df0f295ab3a1d58b9bba0d98c43372475c9cbdcb5af288bd49168795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4712d37826a1e02e1d17a756ac210dce

SHA1
56af27be33b9b5df107c817e77df6477b111a03e

SHA256
7c001f4c98d84c554ca0b620cbd0d32fd1a62a2cefcfc1181a275225d6bf2d0a

SHA512
40015226c1a6767f12e87458ebac5d557ebf789912dac4b5fa0a78eaab2228c8bf962126a112c2e6db1a58bf507889551c0c57e37b2f9bdb510b2f231cd3f6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C9A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31AD.tmp

Filesize
40KB

MD5
7ce12f8d040d7da6c58b1dd488dadde7

SHA1
6601a0fe748d819ef011ba1f96b762f30455977b

SHA256
0bc2a78be91150e4319b34be7888ef44c20962708f02ae29fc3d65e1f02f7629

SHA512
4550c594769060092d93b72565e26550eaaf0ff0c9f20a747480fcb1d5f18b8834ed59480e16fcd6c34499411e9187327b5094caa79e211c3d31354817145deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0c20194fdba9166318313502adbda1cc

SHA1
a2558767382f8e293f4b191a3b0fc7b794a5f66f

SHA256
79ae9742b2d367f681fc1973bd0d27c594e25fa03b9e14ff08cd1669101879fd

SHA512
9433124ec9921c56b870478ff82f767c0a30f2d2532bdf95acf8ba7c8a74c0ca3997dc4034b7d286030f7e2d4f4b05ac4efc4bc65d2885fb8f11f58965b62c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0165bdc76c5c9091acf0b66748ea9675

SHA1
806eb154dca17b67e4b0e886c20d77991394a5a6

SHA256
7b33c23d64e984b4a43881154fb55aed4c932b63095c979734efff4f9f311daa

SHA512
bedb26cc70173cad4719ab657766cfb1c230be5c2dfdaa440d33c132acea1eecb66434b0752beb00decab30f99f503dde0a225f6b72aa573c5a6c975176708da

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2812-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-568-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2992-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2992-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2992-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads