3e27d1888ca10f3de6e459f4e5a5b4773c1b8423920e5c3801a26f04af62f4c5

Analysis

max time kernel
116s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
Size

3.7MB
MD5

2bf4210c873ad7653dceda1869d5ce87
SHA1

7561500f8cb88f9214c8de9d05bcdaf3f5457388
SHA256

3e27d1888ca10f3de6e459f4e5a5b4773c1b8423920e5c3801a26f04af62f4c5
SHA512

55bcf89618dc2b7aadfd29f77d94679c2adc8fd7ee3ca96f4f83f5f84f7f479305c763329c790710bc30ecfb4c9632c42afa35a880ba163422bc6189ad7d6a95
SSDEEP

49152:aoDkYOHQCoDkYOglEDkYOMwwnMb4PmyVI/4MnYYJ2ZhqSGLHkJEMPZqhaK6zbfqa:QYOrYOglpYOXwnS4rVpIDQPxj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
1244	176.#.exe
2300	186.#.exe
2732	607.#.exe
2788	828.#.exe
620	648.#.exe
1624	975.#.exe
2268	978.#.exe
3036	456.#.exe
2912	908.#.exe
664	119.#.exe
1380	569.#.exe
2700	423.#.exe
2524	364.#.exe
708	808.#.exe
2776	147.#.exe
1780	207.#.exe
1712	401.#.exe
1916	698.#.exe
448	958.#.exe
2532	197.#.exe

Loads dropped DLL 40 IoCs

pid	Process
1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
1244	176.#.exe
1244	176.#.exe
2300	186.#.exe
2300	186.#.exe
2732	607.#.exe
2732	607.#.exe
2788	828.#.exe
2788	828.#.exe
620	648.#.exe
620	648.#.exe
1624	975.#.exe
1624	975.#.exe
2268	978.#.exe
2268	978.#.exe
3036	456.#.exe
3036	456.#.exe
2912	908.#.exe
2912	908.#.exe
664	119.#.exe
664	119.#.exe
1380	569.#.exe
1380	569.#.exe
2700	423.#.exe
2700	423.#.exe
2524	364.#.exe
2524	364.#.exe
708	808.#.exe
708	808.#.exe
2776	147.#.exe
2776	147.#.exe
1780	207.#.exe
1780	207.#.exe
1712	401.#.exe
1712	401.#.exe
1916	698.#.exe
1916	698.#.exe
448	958.#.exe
448	958.#.exe

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	456.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	908.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	364.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	958.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	828.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	569.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	808.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	207.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	401.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	698.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	176.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	975.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	978.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	119.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	147.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	197.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	186.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	607.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	648.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	423.#.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\	648.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\	648.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\	186.#.exe
File opened for modification	C:\Program Files\Windows Defender\	119.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\	975.#.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\	569.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\	569.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\	975.#.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\	569.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\	186.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\	186.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\	176.#.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	186.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\	456.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\	828.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\	607.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\	456.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\	648.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\	176.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\	364.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\	423.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\	908.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\	978.#.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\	186.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\	456.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\	119.#.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\	456.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\	423.#.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\	176.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\	456.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\	456.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\	364.#.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\	423.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\	978.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\	607.#.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\	176.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\	648.#.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\	648.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\	456.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\	456.#.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\	176.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\	978.#.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\	607.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\	569.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\	828.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\	975.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\	456.#.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\	364.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\images\	423.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\	147.#.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\	975.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\	186.#.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\	648.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\	456.#.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\	176.#.exe
File opened for modification	C:\Program Files\7-Zip\	607.#.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\	828.#.exe

NTFS ADS 21 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	197.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	176.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	186.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	908.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	808.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	698.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	401.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	958.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	607.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	648.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	456.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	364.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	569.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	147.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	207.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	828.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	975.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	978.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	119.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	423.#.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
1244	176.#.exe
2300	186.#.exe
2732	607.#.exe
2788	828.#.exe
620	648.#.exe
1624	975.#.exe
2268	978.#.exe
3036	456.#.exe
2912	908.#.exe
664	119.#.exe
1380	569.#.exe
2700	423.#.exe
2524	364.#.exe
708	808.#.exe
2776	147.#.exe
1780	207.#.exe
1712	401.#.exe
1916	698.#.exe
448	958.#.exe
2532	197.#.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1244	1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe	28
PID 1940 wrote to memory of 1244	1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe	28
PID 1940 wrote to memory of 1244	1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe	28
PID 1940 wrote to memory of 1244	1940	2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2300	1244	176.#.exe	29
PID 1244 wrote to memory of 2300	1244	176.#.exe	29
PID 1244 wrote to memory of 2300	1244	176.#.exe	29
PID 1244 wrote to memory of 2300	1244	176.#.exe	29
PID 2300 wrote to memory of 2732	2300	186.#.exe	30
PID 2300 wrote to memory of 2732	2300	186.#.exe	30
PID 2300 wrote to memory of 2732	2300	186.#.exe	30
PID 2300 wrote to memory of 2732	2300	186.#.exe	30
PID 2732 wrote to memory of 2788	2732	607.#.exe	31
PID 2732 wrote to memory of 2788	2732	607.#.exe	31
PID 2732 wrote to memory of 2788	2732	607.#.exe	31
PID 2732 wrote to memory of 2788	2732	607.#.exe	31
PID 2788 wrote to memory of 620	2788	828.#.exe	32
PID 2788 wrote to memory of 620	2788	828.#.exe	32
PID 2788 wrote to memory of 620	2788	828.#.exe	32
PID 2788 wrote to memory of 620	2788	828.#.exe	32
PID 620 wrote to memory of 1624	620	648.#.exe	33
PID 620 wrote to memory of 1624	620	648.#.exe	33
PID 620 wrote to memory of 1624	620	648.#.exe	33
PID 620 wrote to memory of 1624	620	648.#.exe	33
PID 1624 wrote to memory of 2268	1624	975.#.exe	34
PID 1624 wrote to memory of 2268	1624	975.#.exe	34
PID 1624 wrote to memory of 2268	1624	975.#.exe	34
PID 1624 wrote to memory of 2268	1624	975.#.exe	34
PID 2268 wrote to memory of 3036	2268	978.#.exe	35
PID 2268 wrote to memory of 3036	2268	978.#.exe	35
PID 2268 wrote to memory of 3036	2268	978.#.exe	35
PID 2268 wrote to memory of 3036	2268	978.#.exe	35
PID 3036 wrote to memory of 2912	3036	456.#.exe	36
PID 3036 wrote to memory of 2912	3036	456.#.exe	36
PID 3036 wrote to memory of 2912	3036	456.#.exe	36
PID 3036 wrote to memory of 2912	3036	456.#.exe	36
PID 2912 wrote to memory of 664	2912	908.#.exe	38
PID 2912 wrote to memory of 664	2912	908.#.exe	38
PID 2912 wrote to memory of 664	2912	908.#.exe	38
PID 2912 wrote to memory of 664	2912	908.#.exe	38
PID 664 wrote to memory of 1380	664	119.#.exe	40
PID 664 wrote to memory of 1380	664	119.#.exe	40
PID 664 wrote to memory of 1380	664	119.#.exe	40
PID 664 wrote to memory of 1380	664	119.#.exe	40
PID 1380 wrote to memory of 2700	1380	569.#.exe	41
PID 1380 wrote to memory of 2700	1380	569.#.exe	41
PID 1380 wrote to memory of 2700	1380	569.#.exe	41
PID 1380 wrote to memory of 2700	1380	569.#.exe	41
PID 2700 wrote to memory of 2524	2700	423.#.exe	42
PID 2700 wrote to memory of 2524	2700	423.#.exe	42
PID 2700 wrote to memory of 2524	2700	423.#.exe	42
PID 2700 wrote to memory of 2524	2700	423.#.exe	42
PID 2524 wrote to memory of 708	2524	364.#.exe	43
PID 2524 wrote to memory of 708	2524	364.#.exe	43
PID 2524 wrote to memory of 708	2524	364.#.exe	43
PID 2524 wrote to memory of 708	2524	364.#.exe	43
PID 708 wrote to memory of 2776	708	808.#.exe	44
PID 708 wrote to memory of 2776	708	808.#.exe	44
PID 708 wrote to memory of 2776	708	808.#.exe	44
PID 708 wrote to memory of 2776	708	808.#.exe	44
PID 2776 wrote to memory of 1780	2776	147.#.exe	45
PID 2776 wrote to memory of 1780	2776	147.#.exe	45
PID 2776 wrote to memory of 1780	2776	147.#.exe	45
PID 2776 wrote to memory of 1780	2776	147.#.exe	45

C:\Users\Admin\AppData\Local\Temp\2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bf4210c873ad7653dceda1869d5ce87_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\176.#.exe
  C:\Users\Admin\AppData\Local\Temp\176.#.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\186.#.exe
    C:\Users\Admin\AppData\Local\Temp\186.#.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\607.#.exe
      C:\Users\Admin\AppData\Local\Temp\607.#.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\828.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\828.#.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\648.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\648.#.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\975.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\975.#.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\978.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\978.#.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\456.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\456.#.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\908.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\908.#.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\119.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\119.#.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\569.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\569.#.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\423.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\423.#.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\364.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\364.#.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\808.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\808.#.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\147.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\147.#.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\207.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\207.#.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\401.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\401.#.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\698.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\698.#.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\958.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\958.#.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\197.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\197.#.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\88.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\88.#.exe
        22⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\136.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\136.#.exe
        23⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\84.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\84.#.exe
        24⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\310.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\310.#.exe
        25⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\863.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\863.#.exe
        26⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\478.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\478.#.exe
        27⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\981.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\981.#.exe
        28⤵
        
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe$

Filesize
3.7MB

MD5
e3d8b217ed767c6ec86bacbaac396ade

SHA1
0282c676a9d974f382cf2384f2668c4c9f68a3c3

SHA256
b735f1bb51c5c175234173004f315727918fa11c9a06fd3812477ed85288caa4

SHA512
200bd8f410cf8f1ba846f120be661da9c551896d3bf9fdf7f6dbdbb6fb8539e554c311138cdb0201cfb8d986e07f8d447998403a6f2a965b93126f7a25b97e92

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe$

Filesize
3.7MB

MD5
64facf1ddfc48c23c706dfbf1cb5f17c

SHA1
7eda47d21937f37f0e0f58625e1910f88f92a31c

SHA256
697db9cbd6f0929644b135b7bf3e2275f2643d1003d09f075819990be9444a87

SHA512
147172ddc9d66737b7c4de499ec50cb8a361146b1b8fdd7c75c90b4bce340d4edacf07e4e44510aace304ca7f213867bdf350f0b3ccab17b44770ca2d420e222

Download Submit
C:\Program Files\Microsoft Games\Chess\Chess.exe$

Filesize
3.9MB

MD5
60fc6736b1a4470cfaec2fc6ae4ca53c

SHA1
860b0f5d807e8e37f2276d6532a3f83495056cfe

SHA256
a1c39e6b7f1ce86d9eb639237581ae6aebab140f746c4593d6fde2573d7c51c5

SHA512
31b33b7c4c8ee0a65a04d46999d17e4f1dfaa3c312e1adc559a658896c08dcb0764e28166ccd94128b39a981427bf8069e0b93597dfa58fe53b15eb616807897

Download Submit
\Users\Admin\AppData\Local\Temp\176.#.exe

Filesize
3.7MB

MD5
2bf4210c873ad7653dceda1869d5ce87

SHA1
7561500f8cb88f9214c8de9d05bcdaf3f5457388

SHA256
3e27d1888ca10f3de6e459f4e5a5b4773c1b8423920e5c3801a26f04af62f4c5

SHA512
55bcf89618dc2b7aadfd29f77d94679c2adc8fd7ee3ca96f4f83f5f84f7f479305c763329c790710bc30ecfb4c9632c42afa35a880ba163422bc6189ad7d6a95

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads