Analysis Overview
SHA256
48f0caea82c90881533f80cd73dd8d179f16145f66955c1add7ca1889e6e8b2d
Threat Level: Likely malicious
The file 5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
ASPack v2.12-2.42
Deletes itself
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 15:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 15:49
Reported
2024-05-17 15:52
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\DRIVER\cygcrypt-0.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\servicesmgr.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\services.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\ntauth.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\servicesmgr.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\system\driver\DAP\LOG | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\cygcrypt-0.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\servicelogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\servicesmgr.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\ntauth.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\csrss.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\servicelogon.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\driver\DAP\NTLOG | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\cygcrypt-0.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\ntauth.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\ntsrv.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\system\DRIVER\ntsrv.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\svchostlogon.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\svchostlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\cygwin1.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\cygwin1.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\winlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\New Text Document (5).txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\servicelogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\services.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\csrss.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\ntsrv.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\services.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\setup.bat | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\csrss.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\winlogon.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\driver\DAP | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\system\DRIVER\setup.bat | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\h.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\Copy (5) of 3.txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\Copy (5) of 3.txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\New Text Document (5).txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\winlogon.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\system\DRIVER\svchostlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\winlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\cygwin1.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\h.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\DRIVER\ntuser.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER\ntuser.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\ntauth.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\ntuser.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\servicesmgr.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe"
C:\Windows\SYSTEM\DRIVER\h.exe
"C:\Windows\SYSTEM\DRIVER\h.exe" setup.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c setup.bat
C:\Windows\SYSTEM\DRIVER\h.exe
h.exe ntsrv -install -name:"NTLOAD" -launch:"C:\Windows\system\driver\csrss.exe"
C:\Windows\SYSTEM\DRIVER\h.exe
h.exe ntsrv -install -name:"NTSVCMGR" -launch:"C:\Windows\system\driver\services.exe C:\Windows\system\driver\ntauth.dll"
C:\Windows\SYSTEM\DRIVER\h.exe
h.exe ntuser.exe -install
C:\Windows\SysWOW64\net.exe
net start NTLOAD
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start NTLOAD
C:\Windows\SysWOW64\net.exe
net start NTSVCMGR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start NTSVCMGR
C:\Windows\SysWOW64\net.exe
net start NTBOOTMGR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start NTBOOTMGR
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H csrss.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H cygcrypt-0.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H cygwin1.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H libeay32.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntauth.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntservice.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntsrv.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntuser.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicelogon.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicent.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H services.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicesmgr.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ssleay32.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H svchostlogon.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H winlogon.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicent.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntservice.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver\DAP
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver\DAP\LOG
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver\DAP\NTLOG
Network
Files
\Windows\system\DRIVER\h.exe
| MD5 | 939d2741a041283109410348245bd381 |
| SHA1 | 674bd31a65b8fe81f53117cc1c49fbca63d0d865 |
| SHA256 | e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2 |
| SHA512 | 9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0 |
memory/2040-33-0x00000000003E0000-0x00000000003E8000-memory.dmp
memory/2040-39-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2636-40-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\SYSTEM\DRIVER\setup.bat
| MD5 | eb3c876293bfd87426513e656b26ba67 |
| SHA1 | dedc0c5ad9b1e0f0a24852b93e8056cf28e52221 |
| SHA256 | 6cd9f271f946a334f5332120ed5cb08d50c38e6ed391d8325851256bab90c725 |
| SHA512 | f27b2ccfe9a3effe0b7909a26a35e6ba48f279adf5d969d1ccf3d497daacbe47d2ae96652dfc148df931909132898f8fad689a8dac787bcadc9da63f6c72636f |
memory/2636-47-0x0000000000020000-0x0000000000028000-memory.dmp
memory/2636-46-0x0000000000020000-0x0000000000028000-memory.dmp
memory/2636-49-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\system\DRIVER\winlogon.dll
| MD5 | 2568b58a3d93a2e3197bb2779d8eaab9 |
| SHA1 | 3f9df89ee934d1492824df0704bca899e48f64d6 |
| SHA256 | 2d53edfe640a2ebef59206017000cb6a15a0acb2383699658c4c1eb29c63a631 |
| SHA512 | 72df01b2712110bf9d419154aec30de03bd88e84ba727d97ee5da239ebafff80f03d12fa2a52b9d444ed7c492563dd02c5622009d73749bb6fb59af8f4672d86 |
C:\Windows\system\DRIVER\ntauth.dll
| MD5 | 424537991b432d801f7ea1caadac5b38 |
| SHA1 | ee467ac66bd9f90baa758f3f4ea876ff95dc7119 |
| SHA256 | d97c9238f928ef25710c4c3f8b0a20161918c6c9d83cdbe3cf8e83d45a32dc62 |
| SHA512 | 675de2bb6e49d64bac375c9854420bb8ba140fd860eda2016c718ddf4ddbde49cac01df55ed22e9ea6faa8dcd461b5d0da5707b4b10eeca71cf3ec620c5a706d |
C:\Windows\system\DRIVER\servicesmgr.dll
| MD5 | 7a5bed56efa878891d5224f60e4d8932 |
| SHA1 | ee9863d4018a14a24d22cdf582c0469fb68d4d70 |
| SHA256 | dc420d32438a40cc59c017681d9c5aa3cd3cdd3042fb01f4648e5d7e3ad96ec8 |
| SHA512 | f5f8321d2b21013708fdbaaaf9f81e0d1deee297406a00976ccebbd537c2e29ad6070c7f7a1ed9d9a38e56f429b3b6b925157ebe114eb466e55d0a69a337e5b0 |
memory/2520-86-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2520-87-0x0000000000020000-0x0000000000028000-memory.dmp
memory/2032-98-0x0000000000020000-0x0000000000028000-memory.dmp
memory/2032-97-0x0000000000020000-0x0000000000028000-memory.dmp
memory/2032-96-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2688-95-0x00000000000E0000-0x00000000000E8000-memory.dmp
memory/2688-94-0x00000000000E0000-0x00000000000E8000-memory.dmp
memory/2688-102-0x00000000000E0000-0x00000000000E8000-memory.dmp
memory/2688-103-0x00000000000E0000-0x00000000000E8000-memory.dmp
memory/2504-106-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\SYSTEM\DRIVER\csrss.exe
| MD5 | dee02ab15d2431bd7627b43df870a964 |
| SHA1 | 85714c62d5723d7cf03c8e22d003a0f338eadade |
| SHA256 | 7e68c6e03c827a65ddf511f5d4b8254aeb265b39363d94dc614ffe47ea30e7d8 |
| SHA512 | 82c018c117c789ef6e49c6ccf0a77f055362d7a132fb65868e2cddc155be2a7b3279d64b5e05f4cdf82490e4a79999b2d9988a02bd4892b606139b79e4418a81 |
C:\Windows\SYSTEM\DRIVER\cygcrypt-0.dll
| MD5 | 82b006aa0e496983a112a61df57a9677 |
| SHA1 | 3150fc701f26cf80502857cb2fbfb859c349dd9f |
| SHA256 | 1c1b4ad96af649f217a3d56b3d82547f40a775698b7e8bcbc9334cd545bda59f |
| SHA512 | e6fd7ba2d0839223612f446c493b9c33c4a39bd7bb95e965cd1c979f5eb6656a4f4a4dd053edd41007c78fc9e86c74cc6cb5f72b88e7d6b9f53859f03c5b7bda |
C:\Windows\SYSTEM\DRIVER\cygwin1.dll
| MD5 | 2852ff9d8f43590d3963b298f9a6492e |
| SHA1 | 63b0ce1799cd60696968fda81f6fa0ffa81deb47 |
| SHA256 | e19cdbce37da1ed5acfd8e7b888922fda770ebf52e9164bcf3c8036f33184780 |
| SHA512 | 2c0884449b20b22c5703a769fafdc77b7dea15629c222f187937ec6332d3d249d6744d893d4dda4b23a2eab519e1a5799c71576d4afb26c3bf895b324568c066 |
C:\Windows\SYSTEM\DRIVER\ntauth.dll
| MD5 | ac59240953ba930e573af8856c41cedc |
| SHA1 | 879961fda2defa500fabf7ae4f9105733cfbbd2d |
| SHA256 | 4439fbbff5aaa41b3e62a931fc4d34f584f6f46b94c2fddff0b91ae13119f15b |
| SHA512 | 947dd982d75282521b13659c15a8ca53dac2b83b1b4bc5fa1a4bb28e0a832663fd8d3ddec0b35adeca98fd1e06035920b609c94e5c1bff1a5c23d371f2f4056a |
C:\Windows\SYSTEM\DRIVER\ntsrv.exe
| MD5 | 906510472f226daf373a500ddfdd7560 |
| SHA1 | 6bf43cb6497fb3ecd46b51b1682ad7ff729fd241 |
| SHA256 | c4a293a4069a9666f4ef194ec4df930dfd75322f8e64d6f1ed70e5d9139413bf |
| SHA512 | 7a0b38d95d01e7f84170fbf9521372877afd82517e0b3502f0b49655a42f409e1dc533b213a59e2f695bbc726f9a4fa19bdbd26fd78a80780f01230b9364b3f1 |
C:\Windows\SYSTEM\DRIVER\ntuser.exe
| MD5 | 80858f87275634946eed13b514222cdb |
| SHA1 | 518d634a2bd8a7723638256ff66eaf3b7a06e755 |
| SHA256 | 03d522c8d6339b597501033925ed7eeb49d885e7beb13de54b8dcd7ba6cc603b |
| SHA512 | 40705da2a852b34f842d5eef0c868b238089fb68aebcdbaeba08c635de92a4daf23473b26bb8c21ea532fbe7c0828d3187858a82f15fa3c13c31f3ec76e93a73 |
C:\Windows\SYSTEM\DRIVER\servicelogon.dll
| MD5 | fa59828cf8a77b077318efa7d667b9e9 |
| SHA1 | 9aa17e7da53903e44773958e13ef43f1f4f51b69 |
| SHA256 | b832e9e2b68fa089ff9c3d5c281d5e727423a3350940d205788d070e105cffb3 |
| SHA512 | 5d3dca0c616039e006bfc41927fd0519103f0727db1b09878c91b3b0f727e0c1086b932e323b814a9107c58dfa8ee561128ce966cb4178b25522e48d03f38112 |
C:\Windows\SYSTEM\DRIVER\services.exe
| MD5 | e6ff5cd0591ca1f9fcebfb11d75494e9 |
| SHA1 | 1c899df15c4464321680293b9bc93c6869fa3580 |
| SHA256 | ce3463b34a9c7dfbe98dd6b4e199dbee3df0eab77d3e17bfddaa84477da04b32 |
| SHA512 | 5f850e762283f9f85f4362e40e5419f10dc99c052ce8f4b39e3119cf883ddbfb76c2aa7d166d9b9ef1cd36460d1428a0b9203ee74e453231df7c98bb179167f3 |
C:\Windows\SYSTEM\DRIVER\servicesmgr.dll
| MD5 | a96177862c0d067386157e5cb1ce844a |
| SHA1 | 627a72cdac25e4e32ec4d77395afc190a866d566 |
| SHA256 | 2ea7db377c12fe81c7d9d7a09e350272047c8443d83e5b79eb949473c0d16f9d |
| SHA512 | 9784f9263f21dd3fbb630cb0e53b1fd31f912f7a02e0946ce941a92032227275c5ffbb1ad1018b6cc5d3d704dde32611aef429f45b7d940e916048c6ef5e4deb |
C:\Windows\SYSTEM\DRIVER\svchostlogon.dll
| MD5 | ca7a86d7a1b6b5d4ab1a08a43710eba2 |
| SHA1 | f3153ca081be8fb93e9968344d98676139b39b09 |
| SHA256 | db23e4ae1e3f95d863c83b928abedd23aff9cc115abdfc56a97f39cf293ded37 |
| SHA512 | a34650b49f689b0b2ff0a582b493606f1c842b4d562089ecdbd17044a6422ef1d6c8de8dfd7f9c46b78448cc8d6ef709ca4096dc4d5799424ae5d380ab22b78a |
C:\Windows\SYSTEM\DRIVER\winlogon.dll
| MD5 | fe0e726c5ffe7b1306fa803a4499eacb |
| SHA1 | 2a2a92791f9e8be5cad4a84999ee05c24c5e3e2a |
| SHA256 | 3068281931885851615bf98d2d7036f5c7a64d565a3cff97a0dde6ed85ab5edd |
| SHA512 | ead50cac9f3d56bcc8be9f99b0276be37fb10838d661954ab5fd502f1f0f26f36a9c75c702491cbd74ff493ba725730d7e86882e58c408fd49341237f3fb126f |
memory/2520-120-0x0000000000020000-0x0000000000028000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 15:49
Reported
2024-05-17 15:52
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
106s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM\DRIVER\h.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System\DRIVER\csrss.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\h.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\ntauth.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\winlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\Copy (5) of 3.txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\cygcrypt-0.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\servicesmgr.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\system\driver\DAP | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\driver\DAP\NTLOG | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\System\DRIVER\setup.bat | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\ntuser.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\services.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\ntauth.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\servicesmgr.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\servicelogon.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\svchostlogon.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\System\DRIVER\h.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\ntsrv.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\cygcrypt-0.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\servicelogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\cygwin1.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\ntauth.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\svchostlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\New Text Document (5).txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\csrss.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\system\DRIVER | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\System\DRIVER\winlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\ntuser.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\Copy (5) of 3.txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\services.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\servicesmgr.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\setup.bat | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\csrss.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\winlogon.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\cygwin1.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\cygcrypt-0.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\ntsrv.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\winlogon.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\System\DRIVER\servicelogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\ntauth.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\system\driver\DAP\LOG | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER\ntuser.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM\DRIVER | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\ntsrv.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\services.exe | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\svchostlogon.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\New Text Document (5).txt | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System\DRIVER\cygwin1.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System\DRIVER\servicesmgr.dll | C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5042ac80e753507bcce6e3a0cf4b9416_JaffaCakes118.exe"
C:\Windows\SYSTEM\DRIVER\h.exe
"C:\Windows\SYSTEM\DRIVER\h.exe" setup.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c setup.bat
C:\Windows\SYSTEM\DRIVER\h.exe
h.exe ntsrv -install -name:"NTLOAD" -launch:"C:\Windows\system\driver\csrss.exe"
C:\Windows\SYSTEM\DRIVER\h.exe
h.exe ntsrv -install -name:"NTSVCMGR" -launch:"C:\Windows\system\driver\services.exe C:\Windows\system\driver\ntauth.dll"
C:\Windows\SYSTEM\DRIVER\h.exe
h.exe ntuser.exe -install
C:\Windows\SysWOW64\net.exe
net start NTLOAD
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start NTLOAD
C:\Windows\SysWOW64\net.exe
net start NTSVCMGR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start NTSVCMGR
C:\Windows\SysWOW64\net.exe
net start NTBOOTMGR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start NTBOOTMGR
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H csrss.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H cygcrypt-0.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H cygwin1.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H libeay32.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntauth.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntservice.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntsrv.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntuser.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicelogon.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicent.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H services.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicesmgr.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ssleay32.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H svchostlogon.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H winlogon.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H servicent.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H ntservice.dll
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver\DAP
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver\DAP\LOG
C:\Windows\SysWOW64\attrib.exe
ATTRIB +R +S +H C:\Windows\system\driver\DAP\NTLOG
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\System\DRIVER\h.exe
| MD5 | 939d2741a041283109410348245bd381 |
| SHA1 | 674bd31a65b8fe81f53117cc1c49fbca63d0d865 |
| SHA256 | e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2 |
| SHA512 | 9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0 |
memory/2852-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5052-38-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2852-40-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\SYSTEM\DRIVER\setup.bat
| MD5 | eb3c876293bfd87426513e656b26ba67 |
| SHA1 | dedc0c5ad9b1e0f0a24852b93e8056cf28e52221 |
| SHA256 | 6cd9f271f946a334f5332120ed5cb08d50c38e6ed391d8325851256bab90c725 |
| SHA512 | f27b2ccfe9a3effe0b7909a26a35e6ba48f279adf5d969d1ccf3d497daacbe47d2ae96652dfc148df931909132898f8fad689a8dac787bcadc9da63f6c72636f |
C:\Windows\System\DRIVER\winlogon.dll
| MD5 | 9917c9661cacaafbbd72804fb2b8eca7 |
| SHA1 | 2e9d3b63537ee04eec1347aaf809302f02fd15d2 |
| SHA256 | 93ada2818571ee6b832b48cc6f8fc82f0d496af29ee450584f26fb5faa00626a |
| SHA512 | 1dcff441bb0ae7eb6ba8e73432e80ec62e11c7389ec7007e375226360bb35962f7330f347c1c66eadba5f57a3e87d502210723f9eb1c3e1cc5ea719f681a3897 |
C:\Windows\System\DRIVER\ntauth.dll
| MD5 | 3aae5db29a02c9dacb017c57bb6f0d9b |
| SHA1 | 4c3dd300e026840d57d171a6b604a5bf8f905266 |
| SHA256 | a40e950855e389f21887dbcbb06de05c70b7c34263420862f8c50220b53869dc |
| SHA512 | d93568089dcd7e2712ac3ce0278b2a04f71087dbd58192c3dfa78610675a235033fc0a9d00dc4f67551bba4e3fcdc9b4639449dfec3099e6065285b5c58189b4 |
C:\Windows\System\DRIVER\servicesmgr.dll
| MD5 | 5308a53803908e3f2d49f5ac109a9a4a |
| SHA1 | a2470f7a3347bd6b712aa8055ad762908ce0da9b |
| SHA256 | a19d0ffbde76c15a15eb8d6309bcdc7bc5d73e530422b69555e2ee50c91e69bd |
| SHA512 | dc7e5dde8274c25e27e7d490305675e1091cd646dc51b2c7dd4dc34ab8924ff304c4072ef43b65d7545f83ccaeb0f0ce9bb824a6fd5870a9e94c1b6e96281a6a |
C:\Windows\System\DRIVER\servicesmgr.dll
| MD5 | 4ae1395a5d20cf2e56308e5a119c7efb |
| SHA1 | cd73dc1115cf1251bcb5cd543570253cb903423c |
| SHA256 | 3de2e573cb1ed71ed65787b3ca7e7059384e9782f1db97f2d655fdf4cc80a1eb |
| SHA512 | 91d16f8bf5acc11731a703020f308962a499852a76d1b35067287a6537c116284a1827441f4d3ef25c6dc460bcf8f202abb85ead80d8e0e9489875fc145cc423 |
memory/1364-75-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2280-78-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3148-81-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\SYSTEM\DRIVER\cygcrypt-0.dll
| MD5 | 82b006aa0e496983a112a61df57a9677 |
| SHA1 | 3150fc701f26cf80502857cb2fbfb859c349dd9f |
| SHA256 | 1c1b4ad96af649f217a3d56b3d82547f40a775698b7e8bcbc9334cd545bda59f |
| SHA512 | e6fd7ba2d0839223612f446c493b9c33c4a39bd7bb95e965cd1c979f5eb6656a4f4a4dd053edd41007c78fc9e86c74cc6cb5f72b88e7d6b9f53859f03c5b7bda |
C:\Windows\SYSTEM\DRIVER\ntauth.dll
| MD5 | 2b1fbba62f7154184c66eadf9f9ede4b |
| SHA1 | 5b22e13aa80e98ba363623445b5421a388238171 |
| SHA256 | b13b58f06a57d0ffd20ea0d44036f35fa891f89bb3c79e4a491d06d0d55d37ae |
| SHA512 | 4563a9a2489b6002b2676073c03a548838dc93b693d7a5546c3564eed975b58a113569ccb13bb63182b982680319e39a74025a471c2e94fbf8be85fa3a551e6a |
C:\Windows\SYSTEM\DRIVER\ntsrv.exe
| MD5 | 906510472f226daf373a500ddfdd7560 |
| SHA1 | 6bf43cb6497fb3ecd46b51b1682ad7ff729fd241 |
| SHA256 | c4a293a4069a9666f4ef194ec4df930dfd75322f8e64d6f1ed70e5d9139413bf |
| SHA512 | 7a0b38d95d01e7f84170fbf9521372877afd82517e0b3502f0b49655a42f409e1dc533b213a59e2f695bbc726f9a4fa19bdbd26fd78a80780f01230b9364b3f1 |
C:\Windows\SYSTEM\DRIVER\servicelogon.dll
| MD5 | fa59828cf8a77b077318efa7d667b9e9 |
| SHA1 | 9aa17e7da53903e44773958e13ef43f1f4f51b69 |
| SHA256 | b832e9e2b68fa089ff9c3d5c281d5e727423a3350940d205788d070e105cffb3 |
| SHA512 | 5d3dca0c616039e006bfc41927fd0519103f0727db1b09878c91b3b0f727e0c1086b932e323b814a9107c58dfa8ee561128ce966cb4178b25522e48d03f38112 |
C:\Windows\SYSTEM\DRIVER\ntuser.exe
| MD5 | 80858f87275634946eed13b514222cdb |
| SHA1 | 518d634a2bd8a7723638256ff66eaf3b7a06e755 |
| SHA256 | 03d522c8d6339b597501033925ed7eeb49d885e7beb13de54b8dcd7ba6cc603b |
| SHA512 | 40705da2a852b34f842d5eef0c868b238089fb68aebcdbaeba08c635de92a4daf23473b26bb8c21ea532fbe7c0828d3187858a82f15fa3c13c31f3ec76e93a73 |
C:\Windows\SYSTEM\DRIVER\cygwin1.dll
| MD5 | 2852ff9d8f43590d3963b298f9a6492e |
| SHA1 | 63b0ce1799cd60696968fda81f6fa0ffa81deb47 |
| SHA256 | e19cdbce37da1ed5acfd8e7b888922fda770ebf52e9164bcf3c8036f33184780 |
| SHA512 | 2c0884449b20b22c5703a769fafdc77b7dea15629c222f187937ec6332d3d249d6744d893d4dda4b23a2eab519e1a5799c71576d4afb26c3bf895b324568c066 |
C:\Windows\SYSTEM\DRIVER\servicesmgr.dll
| MD5 | a96177862c0d067386157e5cb1ce844a |
| SHA1 | 627a72cdac25e4e32ec4d77395afc190a866d566 |
| SHA256 | 2ea7db377c12fe81c7d9d7a09e350272047c8443d83e5b79eb949473c0d16f9d |
| SHA512 | 9784f9263f21dd3fbb630cb0e53b1fd31f912f7a02e0946ce941a92032227275c5ffbb1ad1018b6cc5d3d704dde32611aef429f45b7d940e916048c6ef5e4deb |
C:\Windows\SYSTEM\DRIVER\services.exe
| MD5 | e6ff5cd0591ca1f9fcebfb11d75494e9 |
| SHA1 | 1c899df15c4464321680293b9bc93c6869fa3580 |
| SHA256 | ce3463b34a9c7dfbe98dd6b4e199dbee3df0eab77d3e17bfddaa84477da04b32 |
| SHA512 | 5f850e762283f9f85f4362e40e5419f10dc99c052ce8f4b39e3119cf883ddbfb76c2aa7d166d9b9ef1cd36460d1428a0b9203ee74e453231df7c98bb179167f3 |
C:\Windows\SYSTEM\DRIVER\svchostlogon.dll
| MD5 | ca7a86d7a1b6b5d4ab1a08a43710eba2 |
| SHA1 | f3153ca081be8fb93e9968344d98676139b39b09 |
| SHA256 | db23e4ae1e3f95d863c83b928abedd23aff9cc115abdfc56a97f39cf293ded37 |
| SHA512 | a34650b49f689b0b2ff0a582b493606f1c842b4d562089ecdbd17044a6422ef1d6c8de8dfd7f9c46b78448cc8d6ef709ca4096dc4d5799424ae5d380ab22b78a |
C:\Windows\SYSTEM\DRIVER\csrss.exe
| MD5 | dee02ab15d2431bd7627b43df870a964 |
| SHA1 | 85714c62d5723d7cf03c8e22d003a0f338eadade |
| SHA256 | 7e68c6e03c827a65ddf511f5d4b8254aeb265b39363d94dc614ffe47ea30e7d8 |
| SHA512 | 82c018c117c789ef6e49c6ccf0a77f055362d7a132fb65868e2cddc155be2a7b3279d64b5e05f4cdf82490e4a79999b2d9988a02bd4892b606139b79e4418a81 |