e2f7ca22aacdedb489e6df6710c16bae7519bc7033d29dda95c9582c405ffee8

Analysis

max time kernel
68s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
Size

2.6MB
MD5

299add446ad38fe19ccac7f97ff8d57a
SHA1

0198fb3c98ebf604e4a88228aacc83bf308429b7
SHA256

e2f7ca22aacdedb489e6df6710c16bae7519bc7033d29dda95c9582c405ffee8
SHA512

bef140c7c34352ef072002312f07759928052cb2176f794d500807dab911742dc3e2ed5ae62fdbe0988d80ebb10cd3d8c12da7ff75fbd82f89b685eda5e61906
SSDEEP

49152:R4j4Fg/mTOii09HqbgILFAoCAV9m3ZeHniNnf3itUSG1YKyI:CEFa4O1mqMIioH5HoPuQ1YHI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1712	MSI10C4.tmp
2124	Weather.exe

Loads dropped DLL 10 IoCs

pid	Process
2092	MsiExec.exe
2092	MsiExec.exe
2092	MsiExec.exe
1712	MSI10C4.tmp
2704	MsiExec.exe
2124	Weather.exe
1344	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
1344	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
1344	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
2124	Weather.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Program Files (x86)\\AWS\\WeatherBug\\Weather.exe 1"	Weather.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AWS\WeatherBug\download.txt	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxdist.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Wxpref.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\WxMisc.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_noconnection.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\LeftNavbar60.JPG	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_loading.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\xpchirpedu.bmp	msiexec.exe
File opened for modification	C:\Program Files (x86)\AWS\WeatherBug\download.txt	msiexec.exe
File created	C:\Program Files (x86)\Setup Support for Weatherbug\uninst.exe	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Weather.exe	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\1px.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WBug_Loading.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\center_loading.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\alert_failed.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxlocm.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxweb.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\bot_default.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\Background60.jpg	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxreg.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\TopNavbar60.JPG	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxutil.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxproa.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\skinmask60.bmp	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\center_failed.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\def_bot.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\bot_failed2.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\bot_loading.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\Bot_loading.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\wxbug.wav	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\wxbuglogo_hor.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\weather_window_loading.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_failed.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxBug.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\AWS\WeatherBug\download.txt	MsiExec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10C4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1605.tmp	msiexec.exe
File created	C:\Windows\Installer\e580be5.msi	msiexec.exe
File created	C:\Windows\Installer\e580be2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e580be2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8F018A9E-56DE-4A79-A5EF-25F413F1D538}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI242F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000eb40c78f8f3426de0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000eb40c78f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900eb40c78f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1deb40c78f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000eb40c78f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
724	taskkill.exe
2264	taskkill.exe
1036	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4016	msiexec.exe
4016	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3648	msiexec.exe
Token: SeSecurityPrivilege	4016	msiexec.exe
Token: SeCreateTokenPrivilege	3648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3648	msiexec.exe
Token: SeLockMemoryPrivilege	3648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3648	msiexec.exe
Token: SeMachineAccountPrivilege	3648	msiexec.exe
Token: SeTcbPrivilege	3648	msiexec.exe
Token: SeSecurityPrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeLoadDriverPrivilege	3648	msiexec.exe
Token: SeSystemProfilePrivilege	3648	msiexec.exe
Token: SeSystemtimePrivilege	3648	msiexec.exe
Token: SeProfSingleProcessPrivilege	3648	msiexec.exe
Token: SeIncBasePriorityPrivilege	3648	msiexec.exe
Token: SeCreatePagefilePrivilege	3648	msiexec.exe
Token: SeCreatePermanentPrivilege	3648	msiexec.exe
Token: SeBackupPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeShutdownPrivilege	3648	msiexec.exe
Token: SeDebugPrivilege	3648	msiexec.exe
Token: SeAuditPrivilege	3648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3648	msiexec.exe
Token: SeChangeNotifyPrivilege	3648	msiexec.exe
Token: SeRemoteShutdownPrivilege	3648	msiexec.exe
Token: SeUndockPrivilege	3648	msiexec.exe
Token: SeSyncAgentPrivilege	3648	msiexec.exe
Token: SeEnableDelegationPrivilege	3648	msiexec.exe
Token: SeManageVolumePrivilege	3648	msiexec.exe
Token: SeImpersonatePrivilege	3648	msiexec.exe
Token: SeCreateGlobalPrivilege	3648	msiexec.exe
Token: SeCreateTokenPrivilege	3648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3648	msiexec.exe
Token: SeLockMemoryPrivilege	3648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3648	msiexec.exe
Token: SeMachineAccountPrivilege	3648	msiexec.exe
Token: SeTcbPrivilege	3648	msiexec.exe
Token: SeSecurityPrivilege	3648	msiexec.exe
Token: SeTakeOwnershipPrivilege	3648	msiexec.exe
Token: SeLoadDriverPrivilege	3648	msiexec.exe
Token: SeSystemProfilePrivilege	3648	msiexec.exe
Token: SeSystemtimePrivilege	3648	msiexec.exe
Token: SeProfSingleProcessPrivilege	3648	msiexec.exe
Token: SeIncBasePriorityPrivilege	3648	msiexec.exe
Token: SeCreatePagefilePrivilege	3648	msiexec.exe
Token: SeCreatePermanentPrivilege	3648	msiexec.exe
Token: SeBackupPrivilege	3648	msiexec.exe
Token: SeRestorePrivilege	3648	msiexec.exe
Token: SeShutdownPrivilege	3648	msiexec.exe
Token: SeDebugPrivilege	3648	msiexec.exe
Token: SeAuditPrivilege	3648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3648	msiexec.exe
Token: SeChangeNotifyPrivilege	3648	msiexec.exe
Token: SeRemoteShutdownPrivilege	3648	msiexec.exe
Token: SeUndockPrivilege	3648	msiexec.exe
Token: SeSyncAgentPrivilege	3648	msiexec.exe
Token: SeEnableDelegationPrivilege	3648	msiexec.exe
Token: SeManageVolumePrivilege	3648	msiexec.exe
Token: SeImpersonatePrivilege	3648	msiexec.exe
Token: SeCreateGlobalPrivilege	3648	msiexec.exe
Token: SeCreateTokenPrivilege	3648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3648	msiexec.exe
Token: SeLockMemoryPrivilege	3648	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3648	msiexec.exe
3648	msiexec.exe
2124	Weather.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2124	Weather.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2124	Weather.exe
2124	Weather.exe
2124	Weather.exe
2124	Weather.exe
2124	Weather.exe
2124	Weather.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3648	1344	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	81
PID 1344 wrote to memory of 3648	1344	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	81
PID 1344 wrote to memory of 3648	1344	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	81
PID 4016 wrote to memory of 2092	4016	msiexec.exe	84
PID 4016 wrote to memory of 2092	4016	msiexec.exe	84
PID 4016 wrote to memory of 2092	4016	msiexec.exe	84
PID 2092 wrote to memory of 724	2092	MsiExec.exe	86
PID 2092 wrote to memory of 724	2092	MsiExec.exe	86
PID 2092 wrote to memory of 724	2092	MsiExec.exe	86
PID 4016 wrote to memory of 3508	4016	msiexec.exe	95
PID 4016 wrote to memory of 3508	4016	msiexec.exe	95
PID 4016 wrote to memory of 2704	4016	msiexec.exe	97
PID 4016 wrote to memory of 2704	4016	msiexec.exe	97
PID 4016 wrote to memory of 2704	4016	msiexec.exe	97
PID 2704 wrote to memory of 2264	2704	MsiExec.exe	98
PID 2704 wrote to memory of 2264	2704	MsiExec.exe	98
PID 2704 wrote to memory of 2264	2704	MsiExec.exe	98
PID 4016 wrote to memory of 1712	4016	msiexec.exe	101
PID 4016 wrote to memory of 1712	4016	msiexec.exe	101
PID 4016 wrote to memory of 1712	4016	msiexec.exe	101
PID 2704 wrote to memory of 1036	2704	MsiExec.exe	103
PID 2704 wrote to memory of 1036	2704	MsiExec.exe	103
PID 2704 wrote to memory of 1036	2704	MsiExec.exe	103
PID 4016 wrote to memory of 4844	4016	msiexec.exe	105
PID 4016 wrote to memory of 4844	4016	msiexec.exe	105
PID 4016 wrote to memory of 2124	4016	msiexec.exe	108
PID 4016 wrote to memory of 2124	4016	msiexec.exe	108
PID 4016 wrote to memory of 2124	4016	msiexec.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\WeatherBugSetup.msi ISSILENTINSTALL=1 ISLAUNCH=1 ZCODE=Z6821 PREREG=2 REGTYPE=2 WXBUGCOMMAND=1
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B74EA099F1CC6D7919EE8EC51A736AA4 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /f /im Weather.exe
    3⤵
    - Kills process with taskkill
    PID:724
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7214B30B9994464D5A37D0ECD860C4BE
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /f /im Weather.exe
    3⤵
    - Kills process with taskkill
    PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /f /im Weather.exe
    3⤵
    - Kills process with taskkill
    PID:1036
- C:\Windows\Installer\MSI10C4.tmp
  "C:\Windows\Installer\MSI10C4.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1712
- C:\Windows\system32\msiexec.exe
  "msiexec.exe" /x {70DECFBF-9119-4434-B2D3-A3C283D15E45} /qn
  2⤵
  PID:4844
- C:\Program Files (x86)\AWS\WeatherBug\Weather.exe
  "C:\Program Files (x86)\AWS\WeatherBug\Weather.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580be3.rbs

Filesize
15KB

MD5
bf763c1d8992e168104e438c3016bd95

SHA1
684fa40cf11267d6d74c22c008af372d6a0110ce

SHA256
14fb449f445a00c600828b7937614a3495a381f0ef00e86685d95e5525fd17e6

SHA512
4d03560177dc1aa145e8723093305ca5804c65114d1d4a88932c51e392c472a84552f29b9fa8b4fec46cc4d39a89c104d457f5f3e2222f37d4ed7f3fa750a74c

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\LeftNavbar60.jpg

Filesize
57KB

MD5
9b4d3cc1defa1efe0776ebf8bc72feba

SHA1
25935f40c61d99b2c98ca2d2780fecc1d51ad42f

SHA256
cb81a7917e1220f2b2813442f9e56530b3b75b79226bfee9631cdd1ca4fe5edc

SHA512
96c6ce540aed3787705f0f2ec37daa954af3c2b90993fb27845e9f066b4972ae82567a40c23fd5f231e5ab8a00deb364c75597a960a9bb7a8d1ebbc4ed53bcc2

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\TopNavbar60.jpg

Filesize
13KB

MD5
d6bfc2511f69cd46f89b8b5ad61dcc7b

SHA1
d9a79d4912c03da74247107119f677b8168766c0

SHA256
32f336b185019cf1440376e43cf7123f8c5b6171cfebfa1b907c386ff66d42e3

SHA512
10671db455c8d33466bee2442c1494be52febd2504f6981a55d511e1edced31067ba1205daf1007d6bad74888866921d05388cf89ab00b7507820ae71a5d3b48

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_loading.html

Filesize
400B

MD5
b0d89eb2f46778c5ce788faa486336a8

SHA1
47942c37e04ecc7fcdbda06a8ef5599a97d7f980

SHA256
5d5a6c51ac2f9b4022b1d2652fad67adcc132d22f3584d341bc22ea572246c6b

SHA512
bce54ab3f56c807af3a0fa1fb57e23cc92b3afe2b464ad291295b50c403693767d0ec88aef7cebfef47cfa9cd6e890dc3f06fec5a8890019a950940e7c16dc3f

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\background60.jpg

Filesize
98KB

MD5
14db8321845f7fa28050e64a218e6f24

SHA1
e9ee9ebf0e3b1e4b79c5a272e238e57662026211

SHA256
2e061faf80f40f3b62040d5ed45e2c5e628eaebe0f694aebfcbf59210a9a9e15

SHA512
1240d07269c55e4aff5b1c3666d136a53ac3fd11dbfd6b1b0b428f313a4f237001d25e01b9a87c055a3f6adfcaf6a58d74812752ad6a515b9c73e850ba7f8e6e

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\bot_loading.gif

Filesize
10KB

MD5
7deaa994973b314179b8dc01e39367a3

SHA1
dc1980e00d341d85251933883712900ab4ee396a

SHA256
d790d3c304409a9d5df3c890730519850492ed51699e78a74069b51e9f713209

SHA512
0ecaf08d504a8066f00063ae962d470e1c8e4b1c8daf7a682d27b0585eb2307266467a8b94396d201ba846f72ab01c302755f2beaf4910727e4b510e12d7afff

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\bot_loading.html

Filesize
145B

MD5
f86c28eee915d1741013788e5ccc4c0e

SHA1
a47458fc6ffa4d9d2c18c5b9384b6d923b631b0d

SHA256
3124c0b4695280933f7ead834bae53b0453caf375b736d09d086fc6f63709eba

SHA512
d39a782e207d835e9e6a49e806077c03fc81d4fc5ce196bf676420fa18ece55a604d7954a7cbfc41afa40b4efdcec0fa0b7118d66a61b52801631b8575d81762

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\skinmask60.bmp

Filesize
67KB

MD5
92d00a79ad5db3378008d291b2f97a05

SHA1
875fb977c7d5176a9d2f12d77af7d59624f0d651

SHA256
8f1b71d2f385af56b6d645123a0c8a18fec7d9f0e5b39bf28b0b59fe656d8b03

SHA512
61b688d38aa7856b19f50a81a5c2af90c29e53f9033e560d9b81f5e0cbbddd8b240107276491f1350659146bb1972f7a3dacdcf5b3f510abf01e68916d0e03ea

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\weather_window_loading.gif

Filesize
9KB

MD5
ee302873619c0e3a199641d130a42136

SHA1
b1085049afa12374326687ecac81d159db1588d5

SHA256
6eab5879e8bd8c8c9cacd431a882662c363c3fff75c702564c6f492ef0e5e601

SHA512
7b49df9b0b638ef3294910d4dda41d6d2bd74405bfc1cd886f743e710d41d68ec274fa3b6ac429088766f55ef48a6f1c6ff67d6100b5032064c352faba78b25d

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Weather.exe

Filesize
1.6MB

MD5
f2596401db33c35e17d7f3fa7f38ef8b

SHA1
ef8d5826a2dedb41759dc309aad0b48dcb6d7f14

SHA256
c01a6bb2063deffe5fb8c599092065e47d2bf547ef438d576808879c7f9b97a8

SHA512
02ca458c8a7bf33a5217e42d53042941ab5a9bb3a158ffa62018b5bd4f2801e61160519481f3fd91a9a67b4a791348f6f8f2c074bb11fe099811991f5fbe0f47

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\WxMisc.dll

Filesize
175KB

MD5
4daba1df6081aa00a3f6f6d5a043fd90

SHA1
38b8f9ef5f31003f7aa9eda06b0af8e90bf189b0

SHA256
f22fa22c8e4db3236a3810b629c67f32e6c3159d6faff522dd4d74f3c949df34

SHA512
ce4d0181d32c495d10e9f1c5b0da0af20ec501f680040e852d16c10dd15aa79f3beaa396f5e66debfd63d649a40d566405b76b7939d9849f771f8c3e50007ce7

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\download.txt

Filesize
21B

MD5
1607e9df35a98094e3236cc7feb972d3

SHA1
e74d4ad0392256a5f76287da82012209c8eeefff

SHA256
cc123b21754c44fdbf3bdb5442b1e2eeb1a913443a207ac2ba48d68753c51876

SHA512
271346bc54a8f8e789397543db1e8d0b5dc3fbb2b9022287cdad984f01e53a3511fb275ba8ebe4ad1a0457cf2c297613de9f89228754ccd97e9f30b2b745d3bc

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\download.txt

Filesize
21B

MD5
4baf242e90b0ac23315e09a297f55a1f

SHA1
a9d647c229c736c166b47b2e7f9ed42ef16b3741

SHA256
b94d7cf179bdf7cb4d22740f079a22682684890fc94da65169cf3856987f079b

SHA512
e5f004f89890f0e1f92ca485dcc48ae2b34ffb5a827867a11f6f83c4bdb340e966615937a69a88c7b121fe39ab8d06d4feb4ffe377046cd1dce237e2200f13c3

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\wxdist.dll

Filesize
214KB

MD5
9aca98b6051ab442a3b87d0db601900c

SHA1
3157a14165b5574832cdb93aeda74e3d811941e1

SHA256
aa7f7614f3e282d62add181225499fa8e16550853c76bbf725e7723fa5fc2abf

SHA512
190eccc9483a0bb75b5bf68785fdf7e356a365e3e04780f16b1a9dbd2e01cea0ca45e40e5eb1c3abe6e77bd556d8ef25a4a9ad9a0495fdfe101a406b357785c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC10F3.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID68A.tmp

Filesize
126KB

MD5
48a8123016d261e45ee807c0e238a971

SHA1
d7c8bc1e4d6437697f137cff3eca0e31e49a55cf

SHA256
871f195e12ebb609e6179756092a5821e78cbf920c5c3c7da9ceb01aca991a78

SHA512
a03ed081d740160f92f0f46315e3eff6aa7ac1b6ca65c28be595a802b4d32614cc778d57792b0fbc68ec2ce7382bfcee6c4009226cb2b5428c5819d3b6d5828f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID69A.tmp

Filesize
125KB

MD5
17e171f53f5378f637942286c4dc05fc

SHA1
56e54c86e9445ae7b33230501f17e710c5f47596

SHA256
90d450c12864c8b76e07bd87c6ead25636fef032ffaa056722d2f53f58d64037

SHA512
d67b8ebd2e6091cf17a01ec73fc136eb9119e2fb3682b12dfb57d96f633d94be4805df5e10a5736197d64e04a6327d97bac943227155e9f9daa40e6944404fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherBugSetup.msi

Filesize
3.1MB

MD5
8c23be9e13b10ce4e5969abd7d838576

SHA1
adda1875ca69a6b9e21e4257833c508a46fa85c1

SHA256
8d62da599bb3c0262a3b90ad2ea04da1834f7e4eee95e088951a2dabeae75589

SHA512
74430f4495c11e0f1e2d747c72b7a984f531c2f1dbd18e3e772256b687c9a1a86c65dc54bfc5b03359eddd55812ce49239ab46f9aaccfa2b177c36d2ff93d02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx25B4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx25B4.tmp\inetc.dll

Filesize
20KB

MD5
e541458cfe66ef95ffbea40eaaa07289

SHA1
caec1233f841ee72004231a3027b13cdeb13274c

SHA256
3bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420

SHA512
0bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c

Download Submit
C:\Windows\Installer\MSI10C4.tmp

Filesize
109KB

MD5
2771433a2527c4b450e35d953341aac9

SHA1
d55be08e59b7228243a2db15bdf9f28540272f6f

SHA256
66fe4b4c948918cc508018c8aa111f90db610791ffeba5ada3e57a2cebd77bdf

SHA512
6514bed87ea469b539b3d56afb0922cdc5aa87eb79207fda7e3bb7b8390fa3a4fef59f916eb28fd199293b119e173942020c3329c59f007a5b59e9205c673f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
79afa41260d064335b5c2313176970e5

SHA1
7db9bb39f369956bc229f1ae7ecbd09d82db2ee6

SHA256
0a735a488b89b051552e46e266a7382ce11676d78f3f5314c5f9e599cf106a76

SHA512
92994e77f2690a88a85baddb148da86f37b76a62c940fd58faeee9510cf56384c4bcb8a769f4fe279ea4dc8b3d8ce8c540213e26541dae5350dd3457e2c78992

Download Submit
\??\Volume{8fc740eb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{265a5a4c-217b-4fdb-901d-908f41123b6f}_OnDiskSnapshotProp

Filesize
6KB

MD5
e89d1ba286df6024aa857ff4c98747fd

SHA1
e06f70fc44c0175dc3cb8e6788e56688a9de7909

SHA256
df129e63c08fac137f9fabdc46c601a703238b7ae45b96d6d8da9046ec987a9e

SHA512
afc5129b9e157772bf91f8fdce1db6439d4d7646f121dfd9df0cb5bd062e2865ad198d54ae3a22ce0b45c8165e4f85fde4058481f0a40019d37df422a3309574

Download Submit