a5636ae3eb3448ee2e162928b3610681218bcf613fe98d200bdb87f8fc505735

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 11:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Size

40KB
MD5

9189af4cdc404cbfbab07ea470cb89e5
SHA1

1480e5fa3cc3718ee9d926531b2392a9aad80e85
SHA256

a5636ae3eb3448ee2e162928b3610681218bcf613fe98d200bdb87f8fc505735
SHA512

4af74694646ed0758836ca438b4947a7ff98b32470860ae7d9498dc1616a74dc73ecd2f75673c22b823875548b4be940bc74b19e3d1be509a49ab9b4bda63307
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH/:aqk/Zdic/qjh8w19JDH/

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2960	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000f000000015c7c-9.dat	upx
behavioral1/memory/2960-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-856-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2960-1057-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
File created	C:\Windows\java.exe	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2960	2772	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2960	2772	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2960	2772	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2960	2772	9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9189af4cdc404cbfbab07ea470cb89e5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8890716a6d516948be39866d8ef51605

SHA1
b9471231276a3bbb0b51ba351f1e516414e45f6f

SHA256
ab4d181310bbdd5a0155e10026d7d4c7c499a544734b89cb53fc0270863c1255

SHA512
b4fe309fd336630f9f4f6b63ac64f2ab67b424d81f62b37fb2f9c9919a6675aa89cde965c8e7fe7c924045a0723d0ad661f62ab68d6aa0816d6d62dcf5c0a0f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0494be5fc5875decb6617ae63cb0e343

SHA1
55ab82a0e5a727298f30ab9c482ff0c6b6d951c6

SHA256
6a38dcd75da629678f1b66c5657b0e007362d9dbd41c90ca967a20c325bc9d0b

SHA512
0ae21def5488110261dd33321ace33bc7cea2d6f7a41c7f1250e46a07a79edc5e84da2af43a8cd967952e5afca806e4f3101a8533ebb10bc9b2d346d1d4ca26a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1c12475666e2c392b68bc50acf2fd038

SHA1
3976f3887cd201bf00112762c751aa74d6e25313

SHA256
34a9d95fad070f80d83913110cfed6d1847789803ea2780af2bc767ef28023ee

SHA512
9de98060a058ed3bee321c3f335a0342b28af3ab81a9f99d551156f21faccb7e3d10de52c03bccea89abc238c5045580d42392900add1f3c082b8da27545efda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b01b0409707afe8ef77a7dfb64bce65b

SHA1
e758eb40032d7eb53646b3c474845fbb7424a449

SHA256
00769f8cc5e02ff22db589ebaf0a5ca9cff8d4f8a80a7e398d610785242a1540

SHA512
05184d9d6b7794a832167e8679d39dc85494149be1018540447afe1f3da9b899877afe6f1a5c279cdf608825aec114aa87b40c6c080acb2f80fff76fbb3d9a34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
58563040461ee8c3e6ae5b52fda46179

SHA1
2f3ee4b7dd0d67be279152c7ffc5dd487a1d42fa

SHA256
2c767624e5bbd0ed2c59a6ef217c38a66b71d05ca1a694cb697a3c9d80b69c5b

SHA512
e4766a8691353cee8f599f43cc9de5a2262cb457f142d2fc942807ceaf8db3ccba8590d112591d3bfc2bfa002a740d5ca97c97d115e23c8e78d39397a83270a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1b0d5d132d4ba348576c3e8e62307c21

SHA1
5d33834cf50ee5be37e7e56730f14afa498679dc

SHA256
d4a1677955795afc515597839de6cff086e82d4e3b6db75122a396df1fe03e03

SHA512
dc8843c760733131fe392c1149032fef928ed5f224b00294c323ed2b019798d2390601259c090dc44f39f526ca090fee589cbe537d5609fd67efe9f93b799c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
62e41e0ab8a2de5f37a2c1bc7ac45b42

SHA1
4d9970dad39200d535a6bc1df7584d4c0db7eee7

SHA256
0150a68035982cef7e0dc20c14f8f913ff633b0ed591fa3b6c0c1f94aba59332

SHA512
a3f092eb46eba3030699c66309243ec260bb1b1f71ad52aeef8201349e6812dd99f363f1644b1afaeded9260d71794c0f24acc25cf3ef1de5990c5f0a54722bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8614686b2f98f2ffeb2708e804de472d

SHA1
5a1664e0d31660cce470d62fe535a802ad18e6d8

SHA256
b6c5b9098e571ff160a4e507d3809c40e8dfbfd0185aedc05818522ee069ebc8

SHA512
1384c77d3ed6ea7be89eb3144f4dce010df0e1c3327696eb89be9e13bd93be020eee6e3fa197200a6fb95b154bb15b61dfd42d617cda184cb25a56b5d227013a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ab6c808fc4d15e9842a1d40de820938c

SHA1
e1f88aa09223eb8983d004b93389a23081d15b4a

SHA256
8435745c1427a168d45f072edd0207332ee3577e7f689d7fbb8a274427d5f889

SHA512
f85720e06d406e0f45649551ec20c051215198b2ebb4017cecf9a531c7b9793a52a51ae8ebb11cb4a80f8c9bd292ec80b6fc3efbc686583ca1770632d617bdd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d9ab66c1c860d0c848c56955ff2ae8ce

SHA1
cb562a0698d7c057177c5742eb1be562345a5e05

SHA256
f7d294a4b62a9682f809892af5060b52971a64e8e3ce8c1c1453d77f40ce9ff5

SHA512
f52cef85accf692d6913eb21b4ee4124565ad3b91a848aaa31904b2681d33ebd683bb40c7f7de7570f46f7cbe3c267cb4cf0c167b425eef3fdd1495940ec26f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d1d12d10c2ddfec30a7bd0786b4b9db4

SHA1
4c0b4fcab729bb0208f4b6d75461299063e8b371

SHA256
c8c6db0222daecb75cb4fbfcfa1d425b65c0d9dd7147882e3e50dcb0fb4079eb

SHA512
6586fa8130cc1350c2362d2f2bc132476018abeb3244996ef4b7f3e3790a341590834797e379ed6d01f7ab6a6b3c029cd593886bf6830d3f68b10f06d966cb3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b2a7cf68bb512562ed29a8c19020b6a4

SHA1
411eb036399081b365250d56bb20c42e720bdabf

SHA256
05ce731c3d97cefcb274ce40dce654d949a5d9ebcdf08e7c504c18b917fb1d4e

SHA512
5c0d82da6320aaeb3a30f3dafd2abc360c03a1ea70d71170d0e67387482233d3180c6671de4dd50f904e1e049fb8ac9e958698effefc42cbe2f6a2af08d6c386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
71d5757cb9dcaf558bc32f33aadc0bac

SHA1
0c1ceee19fa20934916a44551a61191f1e133d4f

SHA256
c06674725518afb28a613b3a46040c6347e931837dccc4c2b4b7726f2eeb17b9

SHA512
8c85b764eb9982b446019562deeb09f29a04d21a6c8ebaaf695b667d7b900c60e7e264444292a305a605aa378b77ee6833a9289850cad9eabaca3c5a8bb27fca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\search[7].htm

Filesize
153KB

MD5
6984d4434a7a876e5b50b371bf82d962

SHA1
8176b1a6b33b90301f7b774f0f23f43fb3aa6d18

SHA256
f6c03fe952fee2dfc6335724351d1951cbc94594ccf2959e0f971234d89ef979

SHA512
31594298ffb0ce56736219a6125128fff9b4e3470a6bb08d4b310c457df8f5c83fae09e7913a6723759c0332a617b28980f27a96e31022f7c085900a77c7995b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\results[4].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\CUOA1WIW.htm

Filesize
176KB

MD5
f313f5bc93e8e8cefa48b2c4a950a138

SHA1
bbfa62fb3da5579b024f6b324cb059b9e8d0d317

SHA256
6904f9e29339e4cf4249c97186cbffb453348c70174c1b214bf1b430528dc12a

SHA512
e24948e6d6ceb16e044620ec928c2437416717fd5a4c9554c5a7e5972da5dd5909e5a523ee7788ccd00355b12f718e256e6ebf855be1f18d7b231423ba223611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\EGQ8ES1Y.htm

Filesize
176KB

MD5
f6ee16bbbd19df2acf15883ad5bb16cb

SHA1
d7324c89e241b2c0512c6f204d98bcabee1ebd61

SHA256
77709ca456a2cb1ae4baf3a8ac9a0a2a26e34b23f22a06c59f2bcffa131deb62

SHA512
35a55797c9cc49d6e2cbb7cae2f7a9e79a5119e87b881b4f18d6905522a66252f13cef81bc7e89831c5bfbdddb53f594756bb8d56c203418f8d1e45b5334eafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7596.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7598.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar762B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F49.tmp

Filesize
40KB

MD5
7b0f31ac0b9d518816808f2c40cda9e3

SHA1
2d93a7b93becc44ca85f8d228388f8c8f946d939

SHA256
583cd59d541ad806db7f79eac5f6d2d4477e019c6aae4ebed256ed23de8588e4

SHA512
5722c62c00db3e80e6d647c534c5e1b49c1c95f7c535f779b5bda7fd804fde788a119b227b499724693aee884a1d2f6b3574c6a02f034b29c36d0d468db61478

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
c28d9742ec9a1c98a9758775bf2bf1e0

SHA1
6020c503edbd4ed2497a74fa8fea67f25f22da71

SHA256
7cc914aab5a443829c36ceffb49f98563b8072277cde8d55a375c836bc919b41

SHA512
aab61ecda3c0e98505d453b5eb81e4743029534b4e75e80d6345ed94f45264600932a5b2c32796c4fccd9f54ed9233a6815861e85a7ba1e0ef25b1a4a32a904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6e5d1c21a78a7d617e95045c9670c23a

SHA1
a7ae450cf7b543cc8c961c7827d21ea45b27d08d

SHA256
b2f63994bc03221e3ec38d523fb283b6f789cf9411189e537eb2b13f751b78ea

SHA512
07aa4579396859897b8b0b03cc4cb1a99dd289c908c23dee0696ce7a62a0bee1164161190118070ee221af729e230e7b6a26758d09e34af9f625161cf2614233

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2772-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2772-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-856-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-1057-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads