4d6c7f67cf774e66779f8f31440ec1d86fb4d7a93b473b9e1d4ea6af0f77a5c7

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe
Size

395KB
MD5

1f577c6f861c87a6998b30e75de33246
SHA1

109846d60ef48057cef383ceb2ab0ef56a5b7e53
SHA256

4d6c7f67cf774e66779f8f31440ec1d86fb4d7a93b473b9e1d4ea6af0f77a5c7
SHA512

204dd1a5fcd5ec50ae61be3310a50c139e459adb9855b7ce51c53caec3d0628e228a18cc5450fba31eb8a7dde288b07d7a447b9b09edda7965779b49e951a787
SSDEEP

6144:3myHvNqRbPD0MNja+o0Is37qeG/AJuzhwvTrUWU6sXQFJEES6fiJYu65syhrv8M:FygMRWsL2hwLQGsXQ7JNiauqsyhrZ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+veeje.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://t54ndnku456ngkwsudqer.wallymac.com/45FF7EFEE2ADE455 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/45FF7EFEE2ADE455 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/45FF7EFEE2ADE455 If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/45FF7EFEE2ADE455 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://t54ndnku456ngkwsudqer.wallymac.com/45FF7EFEE2ADE455 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/45FF7EFEE2ADE455 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/45FF7EFEE2ADE455 Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/45FF7EFEE2ADE455 Your personal identification ID: 45FF7EFEE2ADE455

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/45FF7EFEE2ADE455

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/45FF7EFEE2ADE455

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/45FF7EFEE2ADE455

http://k7tlx3ghr3m4n2tu.onion/45FF7EFEE2ADE455

Signatures

Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+veeje.html	jjiufo.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	jjiufo.exe
2484	jjiufo.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe
2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2660 set thread context of 2484	2660	jjiufo.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak	jjiufo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css	jjiufo.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png	jjiufo.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\MSBuild\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css	jjiufo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	jjiufo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	jjiufo.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_ReCoVeRy_+veeje.html	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_ReCoVeRy_+veeje.txt	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	jjiufo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_ReCoVeRy_+veeje.png	jjiufo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	jjiufo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB161DA1-0C24-11EF-AD30-660F20EB2E2E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000003ea2c19727a48b065ab303b2c7a79d9030efa7936c6eca117e9685e9946180ce000000000e8000000002000020000000346371501bd37b5a63faf1c89ab7933550e5c1dc999c8fa3cd928cc7f12581f890000000c1f503922487728158b5d1b014289eee7b1bff0412ad77eb499b08521f4231167c55dbfae055276d06b640491b98ffb744a02a3fa7d755ccfab086e376cea2ad2632b06fce7fefd781f17d4b28726991187a54e95635b5a0a8d95168a82362fa7366d95e39b78ba08f0f2fb097921838fcaddbf1ca80955b7e083790fdfc1e2900fbb97145c2e29128d45dbea2b61f0e40000000a02596e82fc90365932febae793ca82cd9668d22a27135e7baaa267d23fd60b30311a0415a5cd210cac59ef7bd30bb44176f118ee2d32bcc49595d8cba79fe2f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b058927f31a0da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000eef1b0308d487170421ca8922541b75d878342d4cde8a7084f988176bfd0a1e3000000000e800000000200002000000089dbed2476b14764ced58b69de2a39bb92b319ed9668044ce2413511bb31bcd12000000026c58b39b8938e89dfa7c87c0ba080fae052e3d0b7118e0c42c3e6e9ca254e4b400000004801afee8b48e62c116f2b1bcf53c570e0aa034056241f106b8b946a639aa41a13e7255633464f6208477bdc687e1cfc8fcec5ca1441c57521929d8c196fb94d	iexplore.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\trueimg	jjiufo.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jjiufo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jjiufo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	jjiufo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	jjiufo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	jjiufo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jjiufo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe
2484	jjiufo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	jjiufo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
772	iexplore.exe
2480	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
772	iexplore.exe
772	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2592	2036	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	28
PID 2592 wrote to memory of 2660	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2660	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2660	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2660	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2612	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2612	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2612	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2612	2592	1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2660 wrote to memory of 2484	2660	jjiufo.exe	34
PID 2484 wrote to memory of 1620	2484	jjiufo.exe	35
PID 2484 wrote to memory of 1620	2484	jjiufo.exe	35
PID 2484 wrote to memory of 1620	2484	jjiufo.exe	35
PID 2484 wrote to memory of 1620	2484	jjiufo.exe	35
PID 2484 wrote to memory of 336	2484	jjiufo.exe	42
PID 2484 wrote to memory of 336	2484	jjiufo.exe	42
PID 2484 wrote to memory of 336	2484	jjiufo.exe	42
PID 2484 wrote to memory of 336	2484	jjiufo.exe	42
PID 2484 wrote to memory of 772	2484	jjiufo.exe	43
PID 2484 wrote to memory of 772	2484	jjiufo.exe	43
PID 2484 wrote to memory of 772	2484	jjiufo.exe	43
PID 2484 wrote to memory of 772	2484	jjiufo.exe	43
PID 772 wrote to memory of 2728	772	iexplore.exe	44
PID 772 wrote to memory of 2728	772	iexplore.exe	44
PID 772 wrote to memory of 2728	772	iexplore.exe	44
PID 772 wrote to memory of 2728	772	iexplore.exe	44

C:\Users\Admin\AppData\Local\Temp\1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1f577c6f861c87a6998b30e75de33246_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\Documents\jjiufo.exe
    C:\Users\Admin\Documents\jjiufo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\Documents\jjiufo.exe
      C:\Users\Admin\Documents\jjiufo.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\system32\cmd.exe
        
        cmd /c pabmn.bat
        5⤵
        
        PID:1620
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v pabmn /t REG_SZ /d "C:\Users\Admin\Documents\jjiufo.exe" /f
        6⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_+veeje.txt
        5⤵
        
        PID:336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_+veeje.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1F577C~1.EXE >> NUL
    3⤵
    - Deletes itself
    PID:2612

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+veeje.html

Filesize
7KB

MD5
7bd7932e17dfa5283acdbaceca76b738

SHA1
0a267bd543488f8d754bf9fa37ccfb3dfd3b5243

SHA256
8cd77f789a74f1b2bedae7dd9904e5fb892d8655e0bd1fa5d77473e36d560f22

SHA512
924e88a40e94cc8b4ff0c89d0235e05b27b8c9950464adfdd0c9b05455e749c1300e05e9ab880f03c54d83a9d9dac01729e5408b1103c9cc5a9468ad4000e872

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+veeje.png

Filesize
77KB

MD5
3c8242e1dcfec0221b1727fada8ee655

SHA1
2c5dfd86f64bd051ff011e51fe7425a8181633f4

SHA256
2030c6f3fdb039347106fa162bd4405f391f26e8aa08c4f66b9af98baae1b80d

SHA512
8d420d92978ea8e17c2d237f35a29b8bde3b2990736277c2836383063b57e74c21a015cfa76afcb29372dad0daff8eb3dd8ae7d649639b5dfb7f2bd7339f5e43

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+veeje.txt

Filesize
2KB

MD5
6689cb35b0f736c35006ee23a72cf2ba

SHA1
97bd9a99d480f79d22fd85d7da3f5dd0a9bda7b2

SHA256
4aa66061cff9984a3ee542869b3ac8ca2e9e4b27327548ecb0c93bafb45ce59c

SHA512
872d5738870d7f88ea9301e3c69eaaa9915bcaa19e5a4c50ff74ce56a4ee3e02842d744b80860de53a5110adea0d7ae27742458dc62f4b040b3ac737148b9d6a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
fd931f47a450294de41e42c5ef66d150

SHA1
ebdf03667676aba33f55dd0926f381e3b7bf06e5

SHA256
c3c7cf3edd0d2bda1b3f097219ef70d6ef86154fbd226e53a6e1981dd4aeedab

SHA512
1076c12385d7ca770dc13087e04b9a5168fcafd5617072ba2b261dd3c0292abdd9c97457473984c89984a6a22d373307b0c8c2f318ed6471ede3385a53db8150

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
363641e52afbc605e241b4e3e99f4991

SHA1
d6defd911eeb8b5d6099765b90a408588e8b0d56

SHA256
6e5a5342ef5d363eab04ebb8dbb6303e0832d5df9024258ae7c09043013e727a

SHA512
657b9a5844e2ef81e63089646f968df413f30165cf7d0c719e402655ebf4ff9f36d12054fb5b6001a36a4a2332e8e54de284e3b39d6757172878ca5066fd85af

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
799220b69247b44e60aef0eca71e8d73

SHA1
eb07cb328c2958ef50deb401932eba22e4a075f5

SHA256
e952db139557c2d83a949ef39e9156e6be7ecdd954a220187f579996c8d42214

SHA512
3352062b3d1f49484ddbe59a53882f5fe01a679829966a8b4211a12be5ec1329b7be9bef16ad170a87ad66addc72c44204fae45af04264f4d9cbe7e3ca8cb09e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e63d40e063a2933ff1304cc67fba3c4c

SHA1
565a5b1e743cf04d3ed6b97c6302454d2171f311

SHA256
0426c782130187d6acbf64e9774908de91b96d038c1f12e623021fc397f1246d

SHA512
281905b39174ead5d8115c9202282a9c4087139d9fa4854e8f8a91cb12e8f70d3e17d9da0e12663b56fd1a1d7db5de32ea1a081e1b9ca2a7d1187c5eaee1cedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55668635b56b11b38501fcaae4cb41f1

SHA1
88f0d7e969e96721a1d3f50b6bccfe23597d04af

SHA256
354d7efaf8abfa4ab28e125227d6df012870144900114f5ddbf6437683477032

SHA512
cc4943d9bcfbbecd48b99cf6b3084e9d0aa2307e0682ad5b404e319b137bd85c2f4b881ef4a32c4cac3b47ca2fa2be51b371286ad7e162cd0c9dce355e59cba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
271ce46c73978e60b25f3d6d3b01e4c2

SHA1
430880604d264ad140b11c0e15405ece34665eda

SHA256
b2061c9fd6ae0f50bd7dc619d70d5bbaeba3ed37560ced0dc51a8b012e8a139c

SHA512
a05dfb65a5da840c110f9aa2fa8986099bed4618dab84f4e45ec5205104dc8f0e9216b214ba13ea93ee4644f9fc829f1ff4296de11e14f115e688354c8cb78f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb1b6fe0844e8952fd1b71e3e3e16517

SHA1
ed1ea0d4373c51eb730323b3da1343a369514a2a

SHA256
31e85bcb57a65bad34bf796071a578e4db2cf6136466061833861c2565ece103

SHA512
50cb9d2392ed7d532251f82a8915f7bd9f48ffc6ba7ef7b98f2da9838601f4acd564de19bf6a663a741a4d4587f412e3927aec163ee54983cdf7d1dd7e8525e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9359d7dc837d7cf4d65b72e367139c35

SHA1
2ff1bca7d0c9e8ec4d84981ba27b3600849fe2ec

SHA256
13f84e137683af849d00415b530e19661a8a844b736bc6fe44dd61094beb53db

SHA512
afebc3fd4d2addfdf6ebc9d27551f93f731a8ba9767ecc06e7d0eaaefd7ad4fad47f00148fd45a51ee025b4df6a7bdcb4f453021c028d32127bfb2d41a11f961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
880bf8819544026450dde4d3d2e60ec3

SHA1
482af0497405fe37d0850f0325f3aadc973a8673

SHA256
ad59757261f9b2ac608020a2fed786387807c2fd606292cbad0bee7e30f9a724

SHA512
5b155d268fa60152fbee53d818a3143d25301b69b5a01840be899a18f0df33fd7c585a9a8586697816c4a61d9b26a3acaada5298e25efc627f02e6bb93c43aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f608ef87b801fcd638ab4514f224f12a

SHA1
2523bcf1e415ea40946c5dcfa9b5cfcfa49e37fe

SHA256
2dc3ec429231a289c5ee388895f71f742f277a1990518c01d6184959b2f5a4f9

SHA512
b6a8d4718ac5afb5a85999fdbaa50c69c53c5f7bdf8430931f56adb950899aba82d6b4de02266db5617db278f6890ffe606f2695121066be7b31cc711ef507aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d855e4a1438abe6c6befc6dbb4989305

SHA1
53bafee820869c3d146ab1bb0d6d06144ea43576

SHA256
f691cd5f0c21ed958c9f24f98d2e825bc221fab60fca4f56992993711a111bfc

SHA512
bda427b47cd0d225ea68fce39c03e2b5132b01d625475c3c7607666b6f193280f1ea7c54c9793650da16572e6c31322688ab9ea189a70d21e0531d89de7c1f16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cc57acae561fcfb0b60bade045ec60f

SHA1
ffc342e4578932c6c743aa1bd1d87c3e04ff0598

SHA256
44b46c9503b79e56a46cf5f879d34bbfa2aa2319fdabf45b3338d67d33f56cce

SHA512
e75967cda3745907e254e8ad355498aaf422d92e5268b6c6e91f0fb0c032864d8e0beca902080014497a3d8e0bb3cc3d875bee8e1412ec2c4d204824b35745e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
714cbecacb2226a780c18595bb9feb27

SHA1
95c86ce0321071e9228681d37c8688834c992c22

SHA256
994fb7f2a67f224910e18801a61ba65be3e4dd735a31fe71b6cbf3b3873b0a00

SHA512
d1b0e7b7f39069922972f5f49b7615754f9001df4054ab8d56823550d05e875c876eb03afd03bd3d1a052b0604aa1462f6c7399e6e8cbc25d0eac946995f0816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
595e71003fe130cff98818379e2981f8

SHA1
0e25dfd62c8137c9603e2e4beb7041ba8b7e98df

SHA256
882dd87350d9b6360faf6b4cd04e2b9e2e5b99977536f9366ce9b306ea6b0882

SHA512
66b2ee3b8af8aa9f6916331ced179073af30bcbf08d959f84ebc13b6e209d9e9ef356e06e968d91dabe08932337c894a0aa545477c05597715b1ed8f8792827e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8BAE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C5D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C81.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pabmn.bat

Filesize
135B

MD5
8ad14300e7a8d854442467ca1856f935

SHA1
213aebf572fe8a27e42e728f1433c516894d5300

SHA256
61b91e17c20a1556aed5dcf17ea19ea961dd71e0b99265e43efab4251e080b46

SHA512
995affa8378980182b3a378ba689ace6ea820e36490b8ae8d2a172787bfdb06babaebfd5e8e759f69bf00cced4899ce49217b6885b7f20ace4fa51ca07c82f0f

Download Submit
\Users\Admin\Documents\jjiufo.exe

Filesize
395KB

MD5
1f577c6f861c87a6998b30e75de33246

SHA1
109846d60ef48057cef383ceb2ab0ef56a5b7e53

SHA256
4d6c7f67cf774e66779f8f31440ec1d86fb4d7a93b473b9e1d4ea6af0f77a5c7

SHA512
204dd1a5fcd5ec50ae61be3310a50c139e459adb9855b7ce51c53caec3d0628e228a18cc5450fba31eb8a7dde288b07d7a447b9b09edda7965779b49e951a787

Download Submit
memory/2036-0-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2036-17-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2036-1-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2480-6046-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2484-53-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2484-2437-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2484-5202-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2484-6043-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2484-6045-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/2484-52-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2484-54-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2484-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-8-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-2-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-4-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-12-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-16-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-20-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-19-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-10-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-6-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2592-33-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2660-30-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download