9710aabe455f7d733c07d70c473f904a99fc27fc44943cd882491c9f5714ae19

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 07:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
Size

3.8MB
MD5

40a9e8b4b609ab45ec4355aeea304eca
SHA1

f5f8a53c056a0895c939599782a7ce01050e90a4
SHA256

9710aabe455f7d733c07d70c473f904a99fc27fc44943cd882491c9f5714ae19
SHA512

af79e614425cd185430e247f6506dcb87ccde7187f1bb02d78f16523f364d005a093453dfd2b904003b782de486ca674965061e38d58844a2570997921ee006e
SSDEEP

49152:Ll4h1dddisoXIP3+5l6NSdqdjCBjA4/32Qo2AjgThqebtFv7Pe7fKUPp2D+FNb/P:S1mGNSYjcS2AKqebq7fPp2SxP+hiO

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\systray.exe	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\systray.exe	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3564	mightkak.exe
396	mightkak.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Servicos = "C:\\Windows\\system32\\drivers\\systray.exe"	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\kak2.bat	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
File opened for modification	\??\c:\windows\kak2.bat	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
File created	C:\windows\mightkak.exe	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
File created	C:\windows\mightkak.reg	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
File created	\??\c:\windows\kak.bat	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
File opened for modification	\??\c:\windows\kak.bat	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3052	4292	WerFault.exe	82
4944	4292	WerFault.exe	82
2516	4292	WerFault.exe	82
2772	4292	WerFault.exe	82
1740	4292	WerFault.exe	82
2312	4292	WerFault.exe	82
3224	4292	WerFault.exe	82
732	4292	WerFault.exe	82
1376	4292	WerFault.exe	82

Runs .reg file with regedit 1 IoCs

pid	Process
2112	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4624	schtasks.exe
2576	schtasks.exe
3720	schtasks.exe
3496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3564	mightkak.exe
Token: SeRestorePrivilege	3564	mightkak.exe
Token: SeBackupPrivilege	396	mightkak.exe
Token: SeRestorePrivilege	396	mightkak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 3564	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	86
PID 4292 wrote to memory of 3564	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	86
PID 4292 wrote to memory of 3564	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	86
PID 4292 wrote to memory of 2112	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	87
PID 4292 wrote to memory of 2112	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	87
PID 4292 wrote to memory of 2112	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	87
PID 4292 wrote to memory of 396	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	89
PID 4292 wrote to memory of 396	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	89
PID 4292 wrote to memory of 396	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	89
PID 4292 wrote to memory of 5076	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	90
PID 4292 wrote to memory of 5076	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	90
PID 4292 wrote to memory of 5076	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	90
PID 5076 wrote to memory of 3356	5076	net.exe	93
PID 5076 wrote to memory of 3356	5076	net.exe	93
PID 5076 wrote to memory of 3356	5076	net.exe	93
PID 4292 wrote to memory of 604	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	94
PID 4292 wrote to memory of 604	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	94
PID 4292 wrote to memory of 604	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	94
PID 4292 wrote to memory of 4748	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	95
PID 4292 wrote to memory of 4748	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	95
PID 4292 wrote to memory of 4748	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	95
PID 4292 wrote to memory of 3720	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	96
PID 4292 wrote to memory of 3720	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	96
PID 4292 wrote to memory of 3720	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	96
PID 4292 wrote to memory of 4624	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	97
PID 4292 wrote to memory of 4624	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	97
PID 4292 wrote to memory of 4624	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	97
PID 4292 wrote to memory of 3496	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	99
PID 4292 wrote to memory of 3496	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	99
PID 4292 wrote to memory of 3496	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	99
PID 4292 wrote to memory of 2576	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	101
PID 4292 wrote to memory of 2576	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	101
PID 4292 wrote to memory of 2576	4292	40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe	101
PID 604 wrote to memory of 3260	604	cmd.exe	106
PID 604 wrote to memory of 3260	604	cmd.exe	106
PID 604 wrote to memory of 3260	604	cmd.exe	106
PID 4748 wrote to memory of 2512	4748	cmd.exe	109
PID 4748 wrote to memory of 2512	4748	cmd.exe	109
PID 4748 wrote to memory of 2512	4748	cmd.exe	109
PID 4748 wrote to memory of 2324	4748	cmd.exe	110
PID 4748 wrote to memory of 2324	4748	cmd.exe	110
PID 4748 wrote to memory of 2324	4748	cmd.exe	110
PID 4748 wrote to memory of 4816	4748	cmd.exe	112
PID 4748 wrote to memory of 4816	4748	cmd.exe	112
PID 4748 wrote to memory of 4816	4748	cmd.exe	112
PID 4748 wrote to memory of 4568	4748	cmd.exe	113
PID 4748 wrote to memory of 4568	4748	cmd.exe	113
PID 4748 wrote to memory of 4568	4748	cmd.exe	113
PID 4748 wrote to memory of 2448	4748	cmd.exe	114
PID 4748 wrote to memory of 2448	4748	cmd.exe	114
PID 4748 wrote to memory of 2448	4748	cmd.exe	114
PID 4748 wrote to memory of 3348	4748	cmd.exe	115
PID 4748 wrote to memory of 3348	4748	cmd.exe	115
PID 4748 wrote to memory of 3348	4748	cmd.exe	115
PID 4748 wrote to memory of 4232	4748	cmd.exe	116
PID 4748 wrote to memory of 4232	4748	cmd.exe	116
PID 4748 wrote to memory of 4232	4748	cmd.exe	116
PID 4748 wrote to memory of 1608	4748	cmd.exe	117
PID 4748 wrote to memory of 1608	4748	cmd.exe	117
PID 4748 wrote to memory of 1608	4748	cmd.exe	117
PID 4748 wrote to memory of 740	4748	cmd.exe	118
PID 4748 wrote to memory of 740	4748	cmd.exe	118
PID 4748 wrote to memory of 740	4748	cmd.exe	118
PID 4748 wrote to memory of 4116	4748	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40a9e8b4b609ab45ec4355aeea304eca_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292
- \??\c:\Windows\mightkak.exe
  c:\Windows\mightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\SysWOW64\regedit.exe
  regedit /S c:\Windows\mightkak.reg
  2⤵
  - Runs .reg file with regedit
  PID:2112
- \??\c:\Windows\mightkak.exe
  c:\Windows\mightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:system;p:create_subkey;m:deny;i:np"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\net.exe
  net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SharedAccess
    3⤵
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\kak2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\windows\kak.bat /G todos:F
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\kak.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\bb.gpc
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\cef.gpc
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.dll
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.gmd
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\windows\system32\scpsssh2.dll
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\windows\downlo~1\gbiehuni.dll
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\windows\downlo~1\gbiehabn.dll
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\windows\downlo~1\gbiehcef.dll
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehuni.dll
    3⤵
    PID:740
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehabn.dll
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehcef.dll
    3⤵
    PID:380
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbpdist.dll
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\GbPlugin\gbpsv.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\Scpad\scpLIB.dll
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\Scpad\scpMIB.dll
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\Scpad\scpsssh2.dll
    3⤵
    PID:764
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u c:\arquiv~1\Scpad\sshib.dll
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbieh.dll /D todos
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbieh.gmd /D todos
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\bb.gpc /D todos
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbiehuni.dll /D todos
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbiehabn.dll /D todos
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbiehcef.dll /D todos
    3⤵
    PID:856
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\GbpSv.exe /D todos
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\Cef.gpc /D todos
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\uni.gpc /D todos
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbpdist.dll /D todos
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\GbPlugin\gbpsv.exe /D todos
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\windows\downlo~1\gbiehuni.dll /D todos
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\windows\downlo~1\gbiehabn.dll /D todos
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\windows\downlo~1\gbiehcef.dll /D todos
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\windows\downlo~1\Cef.gpc /D todos
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\windows\downlo~1\uni.gpc /D todos
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\Scpad\scpLIB.dll /D todos
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\Scpad\scpMIB.dll /D todos
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\Scpad\scpsssh2.dll /D todos
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\cacls.exe
    cacls c:\arquiv~1\Scpad\sshib.dll /D todos
    3⤵
    PID:2500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn initia /tr c:\windows\kak.bat /sc onstart /ru system
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn initia2 /tr c:\windows\kak.bat /sc ONLOGON /ru system
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn initia3 /tr c:\windows\kak2.bat /sc onstart /ru system
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn initia4 /tr c:\windows\kak2.bat /sc ONLOGON /ru system
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 880
  2⤵
  - Program crash
  PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 924
  2⤵
  - Program crash
  PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 924
  2⤵
  - Program crash
  PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 924
  2⤵
  - Program crash
  PID:2772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 964
  2⤵
  - Program crash
  PID:1740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 976
  2⤵
  - Program crash
  PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1056
  2⤵
  - Program crash
  PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1216
  2⤵
  - Program crash
  PID:732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 932
  2⤵
  - Program crash
  PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 4292
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4292 -ip 4292
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4292 -ip 4292
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4292 -ip 4292
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4292 -ip 4292
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4292 -ip 4292
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4292 -ip 4292
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4292 -ip 4292
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4292 -ip 4292
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mightkak.exe

Filesize
252KB

MD5
19bb0722fdbeb638df3b66b1ac1552f1

SHA1
7d9f036a3b49b9b9c6b0eb41b789837e188a8da0

SHA256
4c3e18a58be2b15784a3460c7d49f1b50755dd3ccef8003d15aa7b2ae847e748

SHA512
169a3da36cc749f12812a1ab625da622042567aad0ecebbf6fc10848ccd1cb136c5182941120d7c92881ef488a2b8b559392117cfd2050f3ecde54bad7cdb36f

Download Submit
\??\c:\Windows\mightkak.reg

Filesize
34KB

MD5
b5d19ee4e9736f6a512ce03818ade4cd

SHA1
4690be6467c065eb16881a97046e014fd3e1254f

SHA256
7f25f1fc237c1865922847d188021dbe58f1cd954750502ffb8189a2141db59a

SHA512
d490be974f077ef70c4a1af5a05289b148fcbd44973a106caa7c9af91ce2e6b0373f568328d9080f596e80d0d76e0bedd4e4923d75767d9806bbfa1a121c14fa

Download Submit
\??\c:\sim.txt

Filesize
3B

MD5
dcf2024ce15b54188e9de12e855fc761

SHA1
faae2c0b81dda269ffad17fbbd86e370f7890528

SHA256
f7217e671e4f819bc69da9d1a2d3683c26a327473bc5623a81aaaf59362bcd6e

SHA512
1919d049fef030430aa17fedd80a28e95db16ca00374737021a4d2024253a0ec8657019b3e40b33ef165e192412a4fc5b0e5e4619f8077a13664d7744c739fdf

Download Submit
\??\c:\windows\kak.bat

Filesize
2KB

MD5
d0c4fd538448e8622dbea7574ba537b9

SHA1
5c93e5b41976d542ad3046a3d9e2f3df1a09a351

SHA256
01d25c4369a9b34ffd1dfb32fe4ac2418101bd0ec9086a9f90703c584689865b

SHA512
f2ce6815a7fa2457c7b033526803e6afdf54adf3abf5e6c9054459e816ec3fd6ee3683ba5d15e0bbd04ee1dfa92a87cf239da9e2bebc1dcd82e66952f91fab0a

Download Submit
\??\c:\windows\kak2.bat

Filesize
50B

MD5
d9f34835bccfcf8be94df30e09457da5

SHA1
d299c12dd6a9f2046b2eefc734324807d51ce356

SHA256
220ac3d340d31a0343754aaaf2fd56f5889d136832a1857ecfaaed3ff4d0dcf5

SHA512
4c2e4eac7d07bd3408b8648914f3e93c2ca46bde632c75b115b5d58a4d7acf8fea318042f1150441f32bc018d4c323c60ecd85b7d3555e355b4d89fd5c304eef

Download Submit
memory/4292-0-0x0000000000400000-0x00000000013E8000-memory.dmp

Filesize
15.9MB

Download
memory/4292-1-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/4292-18-0x0000000000400000-0x00000000013E8000-memory.dmp

Filesize
15.9MB

Download
memory/4292-19-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download