cdbc83deea18fbabd9da83c923eaa9d0524f75636329b9bc996cd74e1612edb1

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe
Size

489KB
MD5

00cf0811e497c98b2972270655acd52d
SHA1

26c5a66d6309394934dd7c7be8c2a9a6e17d62eb
SHA256

cdbc83deea18fbabd9da83c923eaa9d0524f75636329b9bc996cd74e1612edb1
SHA512

6fe54ebb1ce03274b1636b7ead870c3d435413eca1365de1dd025a7b69d99d0cd7eb5c93b3f4599b9846b6670fca416261c4a292dc6866d0fbe4c96dfb07b7c4
SSDEEP

12288:IWxr3zVeCXiGKeY8xpeUQTROgwMunb74g:IWd3z9bY8xg/ROAkbb

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2624	Dymanet.exe
2648	EyalF.exe

Loads dropped DLL 14 IoCs

pid	Process
2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe
2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe
2624	Dymanet.exe
2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe
2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe
2624	Dymanet.exe
2648	EyalF.exe
2648	EyalF.exe
2648	EyalF.exe
2624	Dymanet.exe
2624	Dymanet.exe
2540	regsvr32.exe
2624	Dymanet.exe
2472	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RunOnceOnRebootScript = "rundll32.exe url.dll,FileProtocolHandler http://www.binpop.com/?cid=114&eid=reboot&key=0911F"	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{848180A3-7F2B-4E1D-B717-37705ACCC328}\ = "Z-opti Browser Enhancer "	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{848180A3-7F2B-4E1D-B717-37705ACCC328}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\ = "Context-Ads Browser Enhancer "	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{848180A3-7F2B-4E1D-B717-37705ACCC328}	regsvr32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\$BLSTUN$\lisjc.dll	EyalF.exe
File created	C:\Windows\$BLSTUN$\svpzg.dll	EyalF.exe
File created	C:\Windows\$BLSTUN$\apUninstall.exe	EyalF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000146b7-15.dat	nsis_installer_1
behavioral1/files/0x00070000000146b7-15.dat	nsis_installer_2
behavioral1/files/0x00090000000147d5-22.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09feac395c2da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000dbb1f7ef2b05d2221fff44f076d3efc2fd0c4609dcfcc270b599dbb7d357abc9000000000e8000000002000020000000532907d299fd178d39d3dcab1b088662d1dafb4f305e992047685db98b526d1c90000000f350c4480147f10a34e8ba0fcf2f03648df81f33517b513b87992925b728896faf55e9a0d5f7d3b35be7d77ba1bcd275bdb6fd5a3f54fb54cd2ce317809c46829cd7b2b7029319604c6bbe6c2bd34371b0c48e7a80d2553e29fbd147ae682b50c70751d9eddf4414d64690c9105a50f61e0bef4e301b163b6df954d91e3e8c45acbe6f11931081e9a6c31f1fb9aeb13c40000000342a17aec54869bc634bb4a69a2d81ed8f57766cc3254c33fb128cda0cc57c015ce28ab72c0d927ae5d761dc00f08d6145e85c3dce6b68647459f72452864a8c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDC45641-2E88-11EF-AB87-5E4DB530A215} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424996982"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000bb5db76069a5408086776010938f7f7b16170630b963534f0a22dd269c362576000000000e800000000200002000000002dab61605e86cd69d1d3cf0bdbcd7a5030e83b7b761ab9ccfc97a253aa8a95020000000cf705b7ff645a338f0d07f84ba270f746b2762a9f04f95ff7a55e3d74fce97f240000000bc5b35dc9d145d9495cbb014bdbf5827245bf5b71e8dd326b2cadde1f1c82773f6bfca306071fb39e436613cb9108ca829a0629fda8273ade13c5f5283b6861a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}\instl\data\afltId = "mc0911f"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}\Instl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\APPID	EyalF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7DDEA4D7-996E-4000-8E3B-997B991F7E85}\apps\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}	EyalF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr.1.0\ = "adfayicjpr Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr.1.0\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr.1.0\CLSID\ = "{848180A3-7F2B-4E1D-B717-37705ACCC328}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr\CLSID\ = "{848180A3-7F2B-4E1D-B717-37705ACCC328}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr\CurVer\ = "adfayicjpr.adfayicjpr.1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkayicjhst.chkayicjhst.1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\InprocServer32\ = "C:\\Windows\\$BLSTUN$\\lisjc.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl\data\afltId = "mc0911f"	EyalF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkayicjhst.chkayicjhst\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\ = "chkayicjhst Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl\data\PRDCTID = "opti"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm.1.0\ = "brumayicjgrm Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\VersionIndependentProgID\ = "brumayicjgrm.brumayicjgrm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\TypeLib\ = "{105294FB-3864-42EF-BEAA-3BCA90039DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl\data\SFTID = "9cbfc659a3244be587d95a0d0d5746bb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\InprocServer32\ = "C:\\Windows\\$BLSTUN$\\svpzg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkayicjhst.chkayicjhst.1.0\CLSID\ = "{2974BA67-E90B-427B-934C-C8BBDF1B722A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl	EyalF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\VersionIndependentProgID\ = "adfayicjpr.adfayicjpr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm\ = "brumayicjgrm Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl\data\HRDID = "9e7c551aac8c04ec00005e4db530a215"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	EyalF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkayicjhst.chkayicjhst\ = "chkayicjhst Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl\Data	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}\InprocServer32\ = "C:\\Windows\\$BLSTUN$\\svpzg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkayicjhst.chkayicjhst\CLSID\ = "{2974BA67-E90B-427B-934C-C8BBDF1B722A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkayicjhst.chkayicjhst.1.0\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adfayicjpr.adfayicjpr.1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm.1.0\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7DDEA4D7-996E-4000-8E3B-997B991F7E85}	EyalF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}\instl	EyalF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2974BA67-E90B-427B-934C-C8BBDF1B722A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\instl\data\afltId = "mc0911f"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}	EyalF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F35076-B5C2-451B-B8BC-C7A1462AE44A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{848180A3-7F2B-4E1D-B717-37705ACCC328}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}\instl\data\afltId = "mc0911f"	EyalF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2EAFC421-6A41-4793-9AB3-9EADE4E1E9B1}\instl\data\PRDCTID = "adPro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7DDEA4D7-996E-4000-8E3B-997B991F7E85}\apps	EyalF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B6AEFE8-AA64-462F-8B43-932C1E092CDB}\Instl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brumayicjgrm.brumayicjgrm\CLSID\ = "{11F35076-B5C2-451B-B8BC-C7A1462AE44A}"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2156	iexplore.exe
2156	iexplore.exe
532	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 3068	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2624	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2648	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2156	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2156	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2156	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2156	2792	00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2540	2648	EyalF.exe	33
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2648 wrote to memory of 2472	2648	EyalF.exe	34
PID 2156 wrote to memory of 532	2156	iexplore.exe	35
PID 2156 wrote to memory of 532	2156	iexplore.exe	35
PID 2156 wrote to memory of 532	2156	iexplore.exe	35
PID 2156 wrote to memory of 532	2156	iexplore.exe	35
PID 2156 wrote to memory of 532	2156	iexplore.exe	35
PID 2156 wrote to memory of 532	2156	iexplore.exe	35
PID 2156 wrote to memory of 532	2156	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00cf0811e497c98b2972270655acd52d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\java_setup32.bat
  2⤵
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\Dymanet.exe
  "C:\Users\Admin\AppData\Local\Temp\Dymanet.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\EyalF.exe
  "C:\Users\Admin\AppData\Local\Temp\EyalF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\$BLSTUN$\lisjc.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2540
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\$BLSTUN$\svpzg.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2472
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.binpop.com/?cid=114&eid=001&key=0911F
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f351e913bd8555032d211c2a4449bf9e

SHA1
b72677c27227558f9d423d7b257b571b5a33ffad

SHA256
b09af1990b7f6c0ca008f962b8f0d60b64197b08c05a39b1990c3d0dfbcc6254

SHA512
1b48133e2850b6cd6511e629c76f499bd20466c6f96271c86cd12de26eb302e64ec258ae7216c9039235c500adab02e915f41763fe777859fabcbe37031a6706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e28f64cbdfab1219e8cded1b7cc89ba

SHA1
1dc95f0f30a51bc881d0ed7d44ae5c276ee99460

SHA256
54fa59b853c0ca677a77f71a52fc2e4d4b23ab8cbeaf960dd297c08a4f9bb43d

SHA512
a94854f861581068e6572dfb0b613e240fa61aeffb21802a505d609a9eed89741479c10d5b4fedb8e200176de4faf71a77d994cf482282fa9d1a6a1fda82b707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2dc977eb27662623cadbbd03a06425e

SHA1
1d2ab4f8850c1f0d7eb5a87487d3b54473cc233b

SHA256
a8d881e343f71344da05d25cf110272684b1c410685ed751ae2b218ca2f0a12d

SHA512
c5f90464daa3efbc8d0b255cac6738e557b77e2e5f157d8766bb63db80796ac3a7f4657d70b15818691c6ba0cebe63deaed87e43ea4ad45da63c261187a0d8bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e16c56abc6e0fb3ac29bc0c36fd110b

SHA1
aa5f1cc894ba3d4d961f341edf7ed0670683843f

SHA256
7e9061d943d7abd15df616b29b71089195345b1ca5e050a886a5322f7c11cf8c

SHA512
33b27ec25832961e71221e54fb5ec84a1ae4baa083f7e92ac392216bb1e716c85370a153424af2a524b63b7726567f049b25cfd6fa41d1aa532dd59901af8c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94b549da91e97f7373449023f9244fa4

SHA1
6c972cc2f27e73cf5900d7d807f9c6ccc0dd9b98

SHA256
c915750c68af375e5f9d56246aa03b9d92787b150eb2fa0fc226183f75cb634b

SHA512
a6c394b52905867fe35cb3d3176c1e6d1b0fcd44357056e496155b0f6a72543f8b44db93ee3b1f98bbc1017d30be52f2e1b1d725db4ad8a509dfde406697e670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fe06bd0f21f08aabeaacbbb01dc05e8

SHA1
33a52d0fddf4dfebfd8bc60b5ca2137f634c152e

SHA256
88fcbc35479f592db6036d593a5a028aece1a778da4157a4ef3e3f4a4cb54f34

SHA512
a9d87fd6d7959cf66f20ea3549ba07613debbdd4280448458d3142c803e81ff5b04fb54ad130782c3f7cacabf2721948559a285e81b3d6595f76dd4e1f3eed77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c6cc2769dc41461fbe4390fea6e83e1

SHA1
62e7ebc69716580e3287957a9dc5cbb94dd77ebf

SHA256
29a1ee00320553f4b1b6bff397aa5a4c21f4d446a568b1e64659502a4004663d

SHA512
53a73c3b330678df8f290387588bfdcfafd9bd2bbc3dff27209645a2139b05e3c75dc2ec2543381c5cd93b148859d024c65e9b95dda5649fa0cc232d7b2ae4a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ad96658a41fc1672f814712446196c8

SHA1
a99fbffcf69b199ffd78b97962cd834fa5a5623d

SHA256
0ae5fb52775dced84a79232b6e1820086a4177531859b3dbb6793d73464a9923

SHA512
9025c4b9eb0080a0272748106c90402673943395de64e342578bf205c122411aab92aa5ad8167fa07c54f808671124c2f5fed26e56f88985b62b0810bf4bf006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1894d33c82526054e5fb294548481ffe

SHA1
f71985893908a83e67e09be9892048ace5d3c56f

SHA256
61deb26ac9c72ecf29d2f28c94c5ddc4c8b93e5a615d9507ad032e6a09227c43

SHA512
97a6c2573d424998e37b335cfad85b3863e061bb95d23e63bf93304df08218a35813f5171ec202ca16762450e35463d3fe4fee2cf6829159a06c931599232459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0046e0da1b345ca1f74c2c9f75409f18

SHA1
f6a9346f7944f6707cc055627f390e48538d8c00

SHA256
4c0d5cdd3c3534eb0f5ea779b22ba8a84e497e961fa5232253a2789771d5f45b

SHA512
3974e61bde4ff6261a6731887d552c7b8ecbb08147396778d6ca94a280e31ad7025fad7cd14c5f4072062ffe2e39f6f3fd4fa15d27b5b590b94c1fff6e9f757a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
923bcc623c9879cc00257df7e1bf346c

SHA1
d75f2d5b6160b0ba3e76d43326ed060f16d7d9a3

SHA256
49b9d2eb92d2eb06be81d7fd8ea790bbbfc60fad8ba6aa71978a7faf63a55e48

SHA512
6c76c275c497df401c70b568cf13ec939ebebd2270f48714c6ac4b9cedffcaee1bda16bf6fc8a95fb1468950c1cf7d7ca34f555643cad1a392c5e9ab69ca7967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24ba9507a1f878f26f8417df77e240ff

SHA1
5323817058377e30600284b91a75ea81681f6b09

SHA256
a0faed22b677f0d980df1ea6ebd0c163a20b445b2e8d42ffc6cac79cf1b4b9c5

SHA512
e0e52fd1c8f58d11066b38845073c1c45cd99eeb74bbc6d307e0f0b036e7657a4db3e3db5faa71ddf345e0ab96676ada176b5ec3cd688afa9c14a242f00c4480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ad61ba07000f72bc41d454d882cca5

SHA1
74cecfa564dbb6fd1a12e18ca53565956891e3a1

SHA256
1fca4f741fa025c2ff131ec05486d3c09ac005a3799be2c57001f9133d84dd6e

SHA512
923d35e41bab293513464879fcc49de07cc7c02534e15184613674eb3f10119050a6e03d70da92f88b395a86f4130fed5b4f9d2553a4de6a78ba6d5444d85a43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66bae266912fad5c3fc48b61a9dbd3c9

SHA1
ae1d6a18eb4f9a3455dd3af5ebd42b325397fed0

SHA256
68e87e64eabb4d79edaed82f4ef2782790c3beeca325abc8b2cc6be5ead7f38d

SHA512
3ce34b88d7805fad422ca219483f99436d5905b9904742b8314e7d80f2b79af65b53ef7c08605d70fc9ec7831a17f71f78235c3374cc1192688d56c71a6d7211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400258a29c93ee17dba9e08e3ca2a5ed

SHA1
7cafd603d424996f6b6889ed0c865d42676424f2

SHA256
35fc0a96c64de62b2eee98f081c0a72503123fab97ece94bfc5361cc14966cdc

SHA512
6d19e43a75f56f1ab4f86fe2a84279f74f8d44a515787a93bd2c23beaf73ba8f332f6b1bf1713c49a468bd2effebf53132314628af7ad538da7317b52315128d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbb318fdd185c5c596eab22e52767174

SHA1
baeee7f51a00f19b7b555851df935c4931ecdc0f

SHA256
6a34fc44e8fa66a2f1a0cdfaf4cbbfe32677418ed27e0f3979fcee76fb2ff290

SHA512
6e5b9192fbef7734ebbe891cb9e21c8f82a3d4c07d8d1d265e7959cc4a749fd65ff2346af924012ea53bc22d7048924eb755be1cb333ae22e04677d9735816d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb3be50be2215291dfbebc1e7c61076b

SHA1
5b724e72513f443ceaadd073e3ee856b8c4cc0d1

SHA256
71fd97fa1d6338ba15be8198ab6cc09d039d5f53786ac6ffa2e8e2a9b09a5a22

SHA512
138b1f19e550c9165d1ff2e52392d49491aa37ffb90335ac9ac9f8022b3b0c4ee78ffba1e5332b262ca7f739c15b98f3901353516a2e21ff631548d8f9c92c07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
281d861e70fef269993b76ab945e4ca1

SHA1
aaaf0de5f03284f51b855d0d983b608e182ad641

SHA256
1c7be5d46bab1b8deed3eb29d14cf0221f3974df1305a1d3c57caf80b6be55a3

SHA512
c111dfbdcccf53ddbecbc4f4899d4d0111fc43305ea52c7053efc1e2abfdf96b86b298e17feaad8605ca1716228cfc01db539954dfbd193de6ebe8a7c5c6aac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6822573b06b122ae05572b4a7882a2d5

SHA1
d25aa141aae23c10c782eba052df0ecc0a29e654

SHA256
ad23a874f8b0ce2d719984c8c49c11fa46f7dab6b86a001ddb161c2ed953f206

SHA512
71001a2a5633bbcc412af77adf2be375a4ac27fbb3436d8cb1347ef8bfd4473e717188610f123c30378a90812fd80b96ff17b9d661b908837887f37682a5248e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40eb3f12c090b42e0f877fd411b11100

SHA1
58080b3122c0bab70ed581ad8ab9637161655444

SHA256
7694cc87a760cca816e36cbd59164da425fcadb5434c9aa9abf835152d960617

SHA512
510aab5cc3ab90043286a0c2de40fea780d2ab9d8cadd3f205db7382fcf159f98be7000d056ba126887943350345762e72169a8db94f77ad57bb5da6e46173fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46c3af9a4ae000de0d1ebed55af8c29

SHA1
9c729c036a59d50336227dadd57caa53ed5a4504

SHA256
4e735ac548488b5a811975647903d8246f5e7db7444ae50603835f14a78cad06

SHA512
1ac0fd6906f8f5164b3c4922090f63274bf844365f4e8bf8e2d07add0721904073f5b90c7d0bff75598bc1fb7bb9ae7788a669aa6d29ff0d495e6a0f1c19f5a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de14e04a61afdf6ec91427b9622ade0f

SHA1
49f6215a081fcc82b0fd182fe51a86e119596c61

SHA256
3d95109e23f0fd48d76a9ee4155abd5282e1ef8ae4ee2f539fe7c284dc8d2b4e

SHA512
d9d8e7b3148f8babefaaeb3fca4e2fe02312e879e16da6c783414d4f40d9313ae2c15b48ed1ac36b30ba19050482aea527e13db1b39c60623c97c030d4b1b5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7ee3322c64e9318b5cbb84dded97d60

SHA1
cd50081d8bb473d411ccef738e56c5c9335de4b1

SHA256
8701735166153b3346ae67b913cbb2dcd6e35d7734c1f2f9ddcc83e2f6459f4c

SHA512
961c30b17c9c73b2a6d116f2d8a2d3819995042ff136d5a5bcc62fb8eaaa20abd0bf929be0fdbf31fba71ff461962e172293a656b9b33f3bb146719d705a9ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
471a1f9513a43a0905bfc06bda22060e

SHA1
08f8190a567d9e09b1d14ab03002ebbfec2e2367

SHA256
4989f51ddc0a0eea0a7624b911b454cebfd1a78414a62914216024705afdf4f9

SHA512
71484a39b9c68ad6e764e0f445f47596d5c083781ce0da44a583c3a312c6066bf8191c2ae8c03eec2b8a6c8d006349190e2453a69d86a3ab5b69e4d93f7171a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab677C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar684B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_setup32.bat

Filesize
203B

MD5
b598f7ecbc6431fa4481695d93c2f21c

SHA1
9c043ed8f7da74f132faf5d829c959889f58378f

SHA256
bd99536ae6ddfa6dae7515a63dfb3f1dc6897239370b5d567cc53e74f6fb1a19

SHA512
0448ce1161db8bd0ed9156e8f53bcac87be191067c7f1176cf49086e28e370ef1e0b876420b578c126b5b0811b85de253cdfa9979c916d5e47e8c6fb45c84723

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi605A.tmp\CustomLicense.dll

Filesize
4KB

MD5
8523fa00a3bd9da6e03944f6a913988a

SHA1
15064cd29d1cadede3957917ca5616c32df10f5e

SHA256
5f361c6f7d173838b02fde65f1daa0d80d1cc60af4d08baf721910c3b3ffed1e

SHA512
ef7da369237f6db67e7f3ab1569a47f8ce1fba0c59f5bc9088b9776012a35cad62fcb824728b32cf1b3b38e39f64439ddd9a77e1e91364a7efe63aca1209737c

Download Submit
C:\Windows\$BLSTUN$\lisjc.dll

Filesize
236KB

MD5
45b4d4c0d64b892d4edc0e4b04a8720c

SHA1
44fb8534dc62d464a121092b78edecdf5dc575df

SHA256
874bc8b8d1599f844aab50dc3d4ffb71550282ede28466fb0871e11a3ef74120

SHA512
9c1909cb9906dab10020f53173eddcc9efbe7b91ac4d6dbdb7026f9401128e64a3ec1ca0871db105483eeffe40f125dcd0983fd29269b5df58a0b234c44185cc

Download Submit
C:\Windows\$BLSTUN$\svpzg.dll

Filesize
288KB

MD5
b3266412599cf721d92881108cdb2b1a

SHA1
ef3ff933fd313f4f87f2e203d5dae242ca462dd0

SHA256
600ac8bdbc99efd95971cb80c049e56a4196e1ffe5273a284ab188d19460fcbf

SHA512
6f4c91ffcc2f5f0b6b347c77ec680ee5d0df05dd0a8affa9f082c11c3cf360eec31ce4bee3017ed1b87224fc9d38ea187347db0fe1b88abd0eb451075e02a644

Download Submit
\Users\Admin\AppData\Local\Temp\Dymanet.exe

Filesize
201KB

MD5
120090ebf2ac827d52ecd8f9d7e54a5b

SHA1
e2b281f96703672dedf06f60eaa21e2f4c3a629f

SHA256
7900bae5121e3eef3e931fd57f5cd8fdf7b5736b841df439f7cfe107519a4a35

SHA512
293544cea1a68386f1559cc485d866d9cb965b1579f4dfa8ccbfcdefb94de58f7249cca6a579d48fc5e08a898268413715b4433adcc50ae92e5b794ba105781d

Download Submit
\Users\Admin\AppData\Local\Temp\EyalF.exe

Filesize
260KB

MD5
1677bcd05c889302bf7609e661d94537

SHA1
ee0196566967735b1252101b0932a26f663acd37

SHA256
99918e366fe01b457f2032fab2d1b9523ba5708ed1e2fcd3f410bab81b47d804

SHA512
da8f111fb9b87135e5b5221dd96c03e38640a9cfaa4f61a601a5ff627700c19ba8882f70f20e70d78e94305629f4419f13aa46eb75eb3599237a8f878aaf31a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi605A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi605A.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nst5EC4.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads