Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 09:10
Behavioral task
behavioral1
Sample
33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
-
Size
5.6MB
-
MD5
33d509d70645f62cd3dee6ff59d52a91
-
SHA1
162276e5905f99d2c31268c67b9b06b578203cdf
-
SHA256
eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
-
SHA512
60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c
-
SSDEEP
98304:09yZmgcCNvuTZLIEIKwLGiVIhIy9vFcdm7M6gBjc5DfdYSP/b0bVuIcPHUdKGIpm:ntuTZ8EIKwLTeKy9XEjcVfdYSHAbVEPm
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2636 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2548 BrowserWorker.exe 1216 Mozillla.exe -
Loads dropped DLL 3 IoCs
pid Process 2584 cmd.exe 2548 BrowserWorker.exe 1216 Mozillla.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1676-0-0x0000000000230000-0x0000000000BAA000-memory.dmp vmprotect behavioral1/memory/1676-11-0x0000000000230000-0x0000000000BAA000-memory.dmp vmprotect behavioral1/memory/1676-14-0x0000000000230000-0x0000000000BAA000-memory.dmp vmprotect behavioral1/files/0x0038000000014c0b-24.dat vmprotect behavioral1/memory/1676-27-0x0000000000230000-0x0000000000BAA000-memory.dmp vmprotect behavioral1/memory/2548-39-0x0000000001350000-0x0000000001CCA000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 3 bitbucket.org 5 bitbucket.org 23 raw.githubusercontent.com 24 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 2548 BrowserWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1732 timeout.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Mozillla.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Mozillla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 BrowserWorker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a BrowserWorker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a BrowserWorker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Mozillla.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 2548 BrowserWorker.exe 2548 BrowserWorker.exe 2548 BrowserWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2548 BrowserWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2584 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 28 PID 1676 wrote to memory of 2584 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 28 PID 1676 wrote to memory of 2584 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 28 PID 1676 wrote to memory of 2584 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 28 PID 1676 wrote to memory of 2636 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 30 PID 1676 wrote to memory of 2636 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 30 PID 1676 wrote to memory of 2636 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 30 PID 1676 wrote to memory of 2636 1676 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 30 PID 2584 wrote to memory of 2548 2584 cmd.exe 32 PID 2584 wrote to memory of 2548 2584 cmd.exe 32 PID 2584 wrote to memory of 2548 2584 cmd.exe 32 PID 2584 wrote to memory of 2548 2584 cmd.exe 32 PID 2636 wrote to memory of 2824 2636 cmd.exe 33 PID 2636 wrote to memory of 2824 2636 cmd.exe 33 PID 2636 wrote to memory of 2824 2636 cmd.exe 33 PID 2636 wrote to memory of 2824 2636 cmd.exe 33 PID 2548 wrote to memory of 1216 2548 BrowserWorker.exe 35 PID 2548 wrote to memory of 1216 2548 BrowserWorker.exe 35 PID 2548 wrote to memory of 1216 2548 BrowserWorker.exe 35 PID 2548 wrote to memory of 1216 2548 BrowserWorker.exe 35 PID 2548 wrote to memory of 1096 2548 BrowserWorker.exe 36 PID 2548 wrote to memory of 1096 2548 BrowserWorker.exe 36 PID 2548 wrote to memory of 1096 2548 BrowserWorker.exe 36 PID 2548 wrote to memory of 1096 2548 BrowserWorker.exe 36 PID 2548 wrote to memory of 1608 2548 BrowserWorker.exe 38 PID 2548 wrote to memory of 1608 2548 BrowserWorker.exe 38 PID 2548 wrote to memory of 1608 2548 BrowserWorker.exe 38 PID 2548 wrote to memory of 1608 2548 BrowserWorker.exe 38 PID 2548 wrote to memory of 1952 2548 BrowserWorker.exe 40 PID 2548 wrote to memory of 1952 2548 BrowserWorker.exe 40 PID 2548 wrote to memory of 1952 2548 BrowserWorker.exe 40 PID 2548 wrote to memory of 1952 2548 BrowserWorker.exe 40 PID 2548 wrote to memory of 900 2548 BrowserWorker.exe 42 PID 2548 wrote to memory of 900 2548 BrowserWorker.exe 42 PID 2548 wrote to memory of 900 2548 BrowserWorker.exe 42 PID 2548 wrote to memory of 900 2548 BrowserWorker.exe 42 PID 2548 wrote to memory of 2368 2548 BrowserWorker.exe 44 PID 2548 wrote to memory of 2368 2548 BrowserWorker.exe 44 PID 2548 wrote to memory of 2368 2548 BrowserWorker.exe 44 PID 2548 wrote to memory of 2368 2548 BrowserWorker.exe 44 PID 2548 wrote to memory of 2060 2548 BrowserWorker.exe 46 PID 2548 wrote to memory of 2060 2548 BrowserWorker.exe 46 PID 2548 wrote to memory of 2060 2548 BrowserWorker.exe 46 PID 2548 wrote to memory of 2060 2548 BrowserWorker.exe 46 PID 2548 wrote to memory of 1488 2548 BrowserWorker.exe 48 PID 2548 wrote to memory of 1488 2548 BrowserWorker.exe 48 PID 2548 wrote to memory of 1488 2548 BrowserWorker.exe 48 PID 2548 wrote to memory of 1488 2548 BrowserWorker.exe 48 PID 2548 wrote to memory of 1992 2548 BrowserWorker.exe 52 PID 2548 wrote to memory of 1992 2548 BrowserWorker.exe 52 PID 2548 wrote to memory of 1992 2548 BrowserWorker.exe 52 PID 2548 wrote to memory of 1992 2548 BrowserWorker.exe 52 PID 2548 wrote to memory of 3040 2548 BrowserWorker.exe 54 PID 2548 wrote to memory of 3040 2548 BrowserWorker.exe 54 PID 2548 wrote to memory of 3040 2548 BrowserWorker.exe 54 PID 2548 wrote to memory of 3040 2548 BrowserWorker.exe 54 PID 2548 wrote to memory of 2720 2548 BrowserWorker.exe 56 PID 2548 wrote to memory of 2720 2548 BrowserWorker.exe 56 PID 2548 wrote to memory of 2720 2548 BrowserWorker.exe 56 PID 2548 wrote to memory of 2720 2548 BrowserWorker.exe 56 PID 2548 wrote to memory of 2212 2548 BrowserWorker.exe 58 PID 2548 wrote to memory of 2212 2548 BrowserWorker.exe 58 PID 2548 wrote to memory of 2212 2548 BrowserWorker.exe 58 PID 2548 wrote to memory of 2212 2548 BrowserWorker.exe 58 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2824 attrib.exe 1728 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exeC:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exeC:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1216
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login14⤵PID:1096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login14⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login14⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login14⤵PID:900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login14⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login14⤵PID:2060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login14⤵PID:1488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login14⤵PID:1992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login14⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login14⤵PID:2720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login14⤵PID:2212
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login14⤵PID:2112
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login14⤵PID:1504
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login14⤵PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "4⤵PID:536
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT 35⤵
- Delays execution with timeout.exe
PID:1732
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"5⤵
- Views/modifies file attributes
PID:1728
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"3⤵
- Views/modifies file attributes
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5847e8b2becaa66eb72cacabd458fa552
SHA11403d136d21bd3c8d04dcf2af472c9b0fa69fb50
SHA256692dc2f395753805710130b0c9e5c40770c7533281db259e68070cfed186d117
SHA51289fd33cf18d93be213356c6f50eaeb12a4c257aaa60b6366f35c311450f92d51ec4c2c980b94f0feeb210aaf5d479999a990ade887a2568def273b4b0a6a955f
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
33B
MD582b688a7b1ec263bbaa6cf1453c61ccd
SHA1cbaf77f4d302ef5952df9ea056f103a8397d38cd
SHA2567ff88f3df4a401ac9c57f3e1418d4225f933e107e5d19f4a8cca9cc3200244f2
SHA512f7502830709cf1afdf41b08f433199dbacb15dd8eb60a127476993bb050762820058e80d334269c8ba7993f6663d452532c7f31fa6b1c17180e62d0d2deef412
-
Filesize
13KB
MD5c80f07348f1dad1044b18069d516b9b8
SHA1ba6cff5f84219b0a64bfe8d25f7709708a881271
SHA25662cab66de46e429c833a2fbeb8e3b97b4dcfb912a0e0d67f3c04c1bfd5a7146c
SHA512f3151d15add4bc887c721366f178b3ee05dbdb612eb5be581ad4393389332cdcf6c58e5aa2dd530b7658946faf63f6a0c1ac94825e88c3b57e487e088073afc0
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
473B
MD5a2994a53852aade4eab4692c48c0dc8b
SHA122dc78669238e064967fc843866c9797c41d5be1
SHA256d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f
SHA512b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5
-
Filesize
363B
MD5f87c56e8469034c3fdbac19e4828ef8f
SHA1956d17bca9d30b60c852f4b52b2054457fa94403
SHA25620acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368
SHA512f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1.6MB
MD523e746ed80c005ce32987bbcaadf6e0e
SHA12ca61e8244a9c30a321012c8ae1d6f32071dc46e
SHA2569fd3924c19447444c11388df8665c58b9846223a81dd9df8e22b7bdd67fc1a37
SHA512937c2c15552e5cdc6bfda9e9b24949437a4ac58f0087044e249207bb49db551450d742707140b9bc0d25acb04404ffdf508845256b8ed4b59cf4061bc4d4c1ea
-
Filesize
5.6MB
MD533d509d70645f62cd3dee6ff59d52a91
SHA1162276e5905f99d2c31268c67b9b06b578203cdf
SHA256eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
SHA51260222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c
-
Filesize
276KB
MD521670cc3ebd12408f4e28eb15e238eec
SHA1cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4
SHA25610c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799
SHA51280e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a
-
Filesize
694KB
MD5f5e0950aff26d65cf9e1789b7a013a94
SHA16d305e3da92afa3a188e9b63a55ff99b2a82e425
SHA25655ab9f9667e5bdee16613fcb972cc89516b85ceaa4184a65da54deaf51b42de9
SHA5127d752921900ca41b1ecc0e199f905d145d90a3068485b05f2fad351f457fc7b20957bfff738d082c64f92c276a55fad2863d1c2f365ca3307e7e1d7f01c70cec