d1c1067e4cfdf3c30d3f13eadce8a72bbf32317ee67939db7a4fcc04d2d2e0fb

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
Size

3.4MB
MD5

08545b44439c2869ba8c0b8a4d8f96fc
SHA1

7be7630dffd313b939562ab98fa4f9d3f06cb531
SHA256

d1c1067e4cfdf3c30d3f13eadce8a72bbf32317ee67939db7a4fcc04d2d2e0fb
SHA512

4c74c75ead9e6d72665120e8f18b52a6f32ee1b5342d66d4773e1a103d3e07f834f7fc5ba4c1c89d5c7189ee3ea7894b7825b291b36d8a228ea62e24218c56b1
SSDEEP

49152:jocuK7GiCs9h6oArnSIQ1zTRESF5+9u9jM5dgzhywgDjuHBjTkrHyUuTQf/I4GZS:nQlrS/Lmu9hN8juhjQS+I4GZKKQ

Score

7^/10

evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000e00000001214d-8.dat	acprotect
behavioral1/files/0x000800000001451c-42.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2460	Windows:msvchost.pif

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	Windows:msvchost.pif

Loads dropped DLL 4 IoCs

pid	Process
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
2736	regsvr32.exe
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
2460	Windows:msvchost.pif

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e00000001214d-8.dat	upx
behavioral1/memory/1276-21-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows:msvchost.pif"	Windows:msvchost.pif
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows:msvchost.pif"	Windows:msvchost.pif

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zlib.dll	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\win.com	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	Windows:msvchost.pif
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	Windows:msvchost.pif
File opened for modification	C:\Windows\SysWOW64\jpg.dll	Windows:msvchost.pif

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows:msvchost.pif	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
File created	C:\Windows:msvchost.pif	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
File opened for modification	C:\Windows:msvchost.pif	Windows:msvchost.pif

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
2460	Windows:msvchost.pif
2460	Windows:msvchost.pif

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2736	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	29
PID 1276 wrote to memory of 2576	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2576	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2576	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2576	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2460	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	32
PID 1276 wrote to memory of 2460	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	32
PID 1276 wrote to memory of 2460	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	32
PID 1276 wrote to memory of 2460	1276	08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08545b44439c2869ba8c0b8a4d8f96fc_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\1.bat
  2⤵
  - Deletes itself
  PID:2576
- C:\Windows:msvchost.pif
  C:\Windows:msvchost.pif
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.bat

Filesize
209B

MD5
38293a475156af94601b015219c64b14

SHA1
f67b0c5ff298068111c0bea8b14cfaae31650d26

SHA256
bcb718e0a2ff4d3f6d6d5e7e985f16e216ab39aac3d8a01560b01e7e60f21c9f

SHA512
9cda1ab617d4d71c2bfb917f09acb8838657de196221489cce9eff15f69ff0512cdb2d4a70a8a2ca568f0add820622ce55481ed9947b4b87fea1b394b2832ce6

Download Submit
C:\Windows:msvchost.pif

Filesize
3.4MB

MD5
08545b44439c2869ba8c0b8a4d8f96fc

SHA1
7be7630dffd313b939562ab98fa4f9d3f06cb531

SHA256
d1c1067e4cfdf3c30d3f13eadce8a72bbf32317ee67939db7a4fcc04d2d2e0fb

SHA512
4c74c75ead9e6d72665120e8f18b52a6f32ee1b5342d66d4773e1a103d3e07f834f7fc5ba4c1c89d5c7189ee3ea7894b7825b291b36d8a228ea62e24218c56b1

Download Submit
C:\Windows\SysWOW64\jpg.dll

Filesize
51KB

MD5
4eda362e326609a0a80e2736b67607ab

SHA1
64aa572d16f7cd6e6bd2296f2c96ad1604c713d1

SHA256
061e9f721af9a538dcfd96d13cb3deef1479b5785f566818c34c3faa585d650a

SHA512
f23f6a5c362808aef98516dcf12e3eeefd8498c812c27f96820d7d086694641cb4eefc7970b4750a0e4a5a0be1f90ac8981fc2f028e7085d50bd44bd4880c51d

Download Submit
\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\zlib.dll

Filesize
27KB

MD5
200d52d81e9b4b05fa58ce5fbe511dba

SHA1
c0d809ee93816d87388ed4e7fd6fca93d70294d2

SHA256
d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

SHA512
7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

Download Submit
memory/1276-6-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1276-12-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1276-11-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1276-5-0x0000000000401000-0x000000000040F000-memory.dmp

Filesize
56KB

Download
memory/1276-21-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1276-1-0x0000000000D70000-0x0000000000E61000-memory.dmp

Filesize
964KB

Download
memory/1276-30-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1276-31-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1276-2-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1276-34-0x0000000006170000-0x000000000686A000-memory.dmp

Filesize
7.0MB

Download
memory/1276-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1276-39-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-44-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-53-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-40-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-45-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-46-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-47-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-48-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-49-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-50-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-51-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-52-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-38-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-54-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-55-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-56-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-57-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-58-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-59-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-60-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-61-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-62-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-63-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-64-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2460-65-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download