hxxps://github[.]com/coltonk9043/Aoba-MC-Hacked-Client

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/05/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/coltonk9043/Aoba-MC-Hacked-Client

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613107357035404"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4968	chrome.exe
4968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1328	4604	chrome.exe	73
PID 4604 wrote to memory of 1328	4604	chrome.exe	73
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 1460	4604	chrome.exe	75
PID 4604 wrote to memory of 2920	4604	chrome.exe	76
PID 4604 wrote to memory of 2920	4604	chrome.exe	76
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77
PID 4604 wrote to memory of 4424	4604	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/coltonk9043/Aoba-MC-Hacked-Client
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe04d29758,0x7ffe04d29768,0x7ffe04d29778
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 --field-trial-handle=1728,i,12860371599950954889,16658838827067305555,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c8d1f72654c4522dc0e2c7f398e16f19

SHA1
be0f13a2c1fc0cafad1ecfa5308493795ceb1c3a

SHA256
fff74d7040f584b4a2f18b7a5f945059deee8f278f4d94ee07c9007d0a81bd0e

SHA512
edfaa23d79f6bdf4d8ea0bcf18eeb9eb2a58d06ebe4af6595ab1515585f06c76ef363dcb8e38c3307a177ef75e0a0e1d415d436a5e3a35a48fdbbf6e16a9d58f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
792b7cf6dc9f94beefacc9217023bbfb

SHA1
e11e66a61d9a882edfe9c4159b35614a8ef58a91

SHA256
694c7b1ced9fe64a7cb77deeeae949a9cfa43713bba46e3b84723983db4d12c5

SHA512
78717f9394879e55cf1557ddd8b6f4843e1765a27ffe83fb29e9a6e60e1c26bf7e82af3d2c4764527254ae871845ee53ced1e9572d0da012c9102f48562791c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9a321f5d6655b00142ec41f53e16004b

SHA1
066f547f676c3d68f1909b50c2e2d64121f80dc9

SHA256
4c9f551a9ec346af9843c46c66c82fff546cd14dbfd67f2cc06deb34a57e89c0

SHA512
55a6fd5410def5922c06b8abcfac56df29b6259c6f6bde88917252455700b8417ff270d41e39c5172c6b67d6ef022775f60b98c45dcc47c2c420c1de645bec03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0ce80f495aec42211c1c713217997806

SHA1
a528a2b3d4a5930f70d771efa15ac20d535fa4d6

SHA256
9f5bc3f162170137dd445ef050b69952158716ef6eb506acd4b59df1da38e6c9

SHA512
c414ff5a7ecd0915c3e3993c4f05daedb3abe6f30a52df621fc6012952990e3325c0e3258aa48533dae9dfcc6bb6909c6bfc801daffd447d4086db92324c5380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9bd89a6a723d0a84ce3d2ea8b9fcc1b5

SHA1
2d549aea2d617f56b051525548272d9d94ec97c6

SHA256
8731a2f0820d0cca2807011e617f63c32f0cf8e12cb2c752c6a1c7b020b28cb1

SHA512
76b315cde2c2552cd4ba059d3d2733f2f77bd74bf768d50cc689281cf34a17c296d6885cfdb84fdd068c6c07dee9cfc19177e0c2f72f2b49b8395ae99979f5b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
64dd84e86a155609836abba556cb86d6

SHA1
865219fec33246484491468cf00c02a314cbe399

SHA256
e07f377b330fd78737cb19c27c5c6c2a94ec24f72d6216931b0d0ca1c88d9ff4

SHA512
cab11a3b7e80b9b9eb2d79cb73322ed312b4be41733f2c13bcc7eb48b890bc0bcca4a550fddc4b32e2339d95a9430689eb8a3048dca3e9562c123e393c584e27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
95d2929021a33dad4be4d9939275fdc8

SHA1
97fbf608ddd926485348d65aad1e5d29d79fe88e

SHA256
215c9b93a8a022c5b8a9a81df37cd7c4824c6f9bab4448e5b5022718e9075783

SHA512
09800394892973480a8014e66fc6727017171066b2ef55d0c5196b2fbe28dd2f83c6be374b7e3fe5bbce63ae129ba467b849dddd2c12a6fc3ccf144080cebe15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit