Analysis
-
max time kernel
118s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
5a33e9b9c627ea6bce5e8d0ca829176e
-
SHA1
013051e396b1a1e785d22e5527efdee96e60b05d
-
SHA256
6064b9d452f32cf09e464f17381b9f04fe929c8ed35f43772def8556eadec550
-
SHA512
982ee4b6a05f2a9c38d4722c5eba5fb14260dd3bcd7f6626a050c2a9fd48f10c693901e8c021bc12367ef60f8ad4899e4fb3f10d7f2aa5706d1e822b0ee79576
-
SSDEEP
98304:DkwBHjSM12JtDpJX2c+4uXzwcMSdT23sEeKGSxzEceeVTUg:DkbM12JVrXL+4umSV23+WIgVTUg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\dhcpbroker\intocrt.exe dcrat behavioral1/memory/2752-32-0x0000000000B00000-0x0000000000B76000-memory.dmp dcrat behavioral1/memory/2480-166-0x00000000009C0000-0x0000000000A36000-memory.dmp dcrat -
Executes dropped EXE 4 IoCs
Processes:
skinchanger_csgo_08.02.2021.exeDCrmiZ.exeintocrt.exewininit.exepid process 2036 skinchanger_csgo_08.02.2021.exe 2060 DCrmiZ.exe 2752 intocrt.exe 2480 wininit.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
intocrt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Adobe\\Updater6\\explorer.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\csrss.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Defender\\de-DE\\dwm.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Media Player\\it-IT\\WMIADAP.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\css\\ui-lightness\\wininit.exe\"" intocrt.exe -
Drops file in Program Files directory 6 IoCs
Processes:
intocrt.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe intocrt.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\560854153607923c4c5f107085a7db67be01f252 intocrt.exe File created C:\Program Files\Windows Defender\de-DE\dwm.exe intocrt.exe File created C:\Program Files\Windows Defender\de-DE\6cb0b6c459d5d3455a3da700e713f2e2529862ff intocrt.exe File created C:\Program Files\Windows Media Player\it-IT\WMIADAP.exe intocrt.exe File created C:\Program Files\Windows Media Player\it-IT\75a57c1bdf437c0c81ad56e81f43c7323ed35745 intocrt.exe -
Drops file in Windows directory 1 IoCs
Processes:
intocrt.exedescription ioc process File created C:\Windows\rescache\rc0000\WMIADAP.exe intocrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9522481-457A-11EF-971E-EA452A02DA21} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000000d4de0b41f85d967fe8ca613298f85d823ffe19514744f2faf1fe6fea400602000000000e80000000020000200000006c9dda90866808bbc17eea5b4e72ada836148001fb646918425359feb56066bd20000000b0fa964fbd6a0192f4986dea6d3f1cf8931858352120434ad69e1522df698de1400000000d0c300244a40c4068822c14c7e6991a899cb9ef1360ec730ba24ac7197fd242c49d0a1e344cbdc35745776870829133bb9207455d862f7bcdeb42e63fbe09dc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c94ac087d9da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000f5c1e9976c9896ebd26e81211f39114dede39ca9c0b1bd03653fb01a4daacde9000000000e8000000002000020000000b56ea86c48f0ae364aa340b2b2d6d0cefc20693b2fb878c4f2687b311f400c8c40010000660a4c6e3517813a9b02df582c9cb50f085e329d6503c375e5b57095fb6de0cb0bebf03f0c8edecc93e7ad9d8bcddd2c36b617b6bb4a89ec9bb892a916008a87de28447f4e535007819555d868a62e289c3eeef9e1ce482d4d8f390d9818fdeb26dd47b2d6baaba3763532d4d955d690c28fdf307e983f4ff0053b83e683139b77dd8609a371c3a47c7cb83e2b316560fe02b165b7fd91245014ebfa8e5a157ebf16c3e1a55a835c9846a78ef1ba55dde7da8a08211f9579c2edfaf9bb78e0e7b9bff085a8abb477dca90777778336bb5afac6dc8c707b4e89a3bed5eac2871e9edf7f9fe3f5c0b1844747c5dad77c77fc66d450ddcab5f01a7feb09f1633ac54fb4ce62333b8ceaf9e6eecaa7ab46351e1486765fb453b6d1dcd882e86ed1696c5ab9986865b6d07023a5ce54f57f7cb5870144ad3cbee9e27340d8feaf1ad140000000df8e9713a6694af67bdf5234e0f9603eb32ee84860b9f27a7eda20cc6fd4b83f78316980dff578c4c616b33714cb1e65de1da3f7ffebf9f1f2c94909a3cd9a81 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427519835" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 884 schtasks.exe 1940 schtasks.exe 2472 schtasks.exe 2108 schtasks.exe 824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
intocrt.exewininit.exepid process 2752 intocrt.exe 2480 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
intocrt.exewininit.exedescription pid process Token: SeDebugPrivilege 2752 intocrt.exe Token: SeDebugPrivilege 2480 wininit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2028 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2028 iexplore.exe 2028 iexplore.exe 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exeDCrmiZ.exeWScript.execmd.exeskinchanger_csgo_08.02.2021.exeiexplore.exeintocrt.exedescription pid process target process PID 2540 wrote to memory of 2036 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 2540 wrote to memory of 2036 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 2540 wrote to memory of 2036 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 2540 wrote to memory of 2036 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 2540 wrote to memory of 2060 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 2540 wrote to memory of 2060 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 2540 wrote to memory of 2060 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 2540 wrote to memory of 2060 2540 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 2060 wrote to memory of 2740 2060 DCrmiZ.exe WScript.exe PID 2060 wrote to memory of 2740 2060 DCrmiZ.exe WScript.exe PID 2060 wrote to memory of 2740 2060 DCrmiZ.exe WScript.exe PID 2060 wrote to memory of 2740 2060 DCrmiZ.exe WScript.exe PID 2740 wrote to memory of 1944 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 1944 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 1944 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 1944 2740 WScript.exe cmd.exe PID 1944 wrote to memory of 2752 1944 cmd.exe intocrt.exe PID 1944 wrote to memory of 2752 1944 cmd.exe intocrt.exe PID 1944 wrote to memory of 2752 1944 cmd.exe intocrt.exe PID 1944 wrote to memory of 2752 1944 cmd.exe intocrt.exe PID 2036 wrote to memory of 2028 2036 skinchanger_csgo_08.02.2021.exe iexplore.exe PID 2036 wrote to memory of 2028 2036 skinchanger_csgo_08.02.2021.exe iexplore.exe PID 2036 wrote to memory of 2028 2036 skinchanger_csgo_08.02.2021.exe iexplore.exe PID 2036 wrote to memory of 2028 2036 skinchanger_csgo_08.02.2021.exe iexplore.exe PID 2028 wrote to memory of 1988 2028 iexplore.exe IEXPLORE.EXE PID 2028 wrote to memory of 1988 2028 iexplore.exe IEXPLORE.EXE PID 2028 wrote to memory of 1988 2028 iexplore.exe IEXPLORE.EXE PID 2028 wrote to memory of 1988 2028 iexplore.exe IEXPLORE.EXE PID 2752 wrote to memory of 824 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 824 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 824 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 884 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 884 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 884 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 1940 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 1940 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 1940 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2472 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2472 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2472 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2108 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2108 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2108 2752 intocrt.exe schtasks.exe PID 2752 wrote to memory of 2480 2752 intocrt.exe wininit.exe PID 2752 wrote to memory of 2480 2752 intocrt.exe wininit.exe PID 2752 wrote to memory of 2480 2752 intocrt.exe wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe"C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\dhcpbroker\LboxPbvRMQFdTG327MfoAXtGOluFbW.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\dhcpbroker\KTNvVUs7rCbjeE6SfbcNAGzeGA6bfl.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\dhcpbroker\intocrt.exe"C:\dhcpbroker\intocrt.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\explorer.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\csrss.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:884 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\WMIADAP.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2472 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2108 -
C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee2f05ffac4813e1fe3c43cb7bb2b884
SHA12a11fd19ea1ea4126a2fb77d7e8eb33d1abab70a
SHA256290b0e43b5eda653aa427999f8ea9ff7bffc4f38230fe1a911714d92db8bc67a
SHA512a5ddab0a3eaa26d798640bfe770bc7fd2353ef594ef85a33de985bd5d02e04525a32db8666d899c0f694c6a60ebfd3dde38c39412d0eb31d7699aa264f7359fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fb00789721552c180668acb0fb0bc7f
SHA1dd5da9b8cf336533ac4567a43a8c0bffd7f51264
SHA256f3db672d279926ef1bfb62cdb8d98976a1398826e9e42f09030b7b50621cc65e
SHA5120e8053910ffe6326bc6fe9d399ff23e94927f954e939959162c604b75ecfa3369077aed65bbd3eda2475f1a907e44e9ab3b7aade64acaaa07bef515c14f653a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d0262bfd6f416f7c80bde1b72b3169c
SHA15a7349062f1f34a756cf24a1eea444fd9dfb48b1
SHA2560347087249bf6e0b1a40384070dcaca7e26d28eadce63a1be5415b4a72f276e9
SHA5128196a16f91415cba670d93683bd1d9b1813cc93ace2b9299ac30832315d88a368315d8c9439da4dfe144b487a9a11301648e535468eff135f123a752118908e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c7fb611c46dbb206da04251895eefb7
SHA15898c2d65da76f67c432c341e6398c2fcb08808f
SHA256ff211c2563f7ed316f4519c4ee6e16ccb8e236d3706da80f23e57a094527d0c1
SHA512dc6e9ea2f9e51ca5642d2b70253291d619016af379481f19072022efd2b496d81f31491289db9fd4990126de10b2b32d27dbfa699b0ca9ff17e3b965bea3f705
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57922bf71ff11fa35a10eea616af062db
SHA124e52e0992a7e3513e38d566c770872417d80793
SHA2569c36cfa5f1e4004a92b28e27fdd212dbebd350c7c141ded3185028d347e91060
SHA51275ade3beab9decf5013b876a8366be75e99b5b5cb7010b9e05c97d3fc97a2fc344b43b9e0b575623b057f219b1cca44291ac5cee42268639532d423985ce86ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd5a808c92cc7e129d56c41843a94285
SHA16559ae1f8d873245d0f88e9beeeb2e44391e7a5c
SHA256879fd0f3c0aa6b01675e2c594a46d28edc3992d66b7084c825f669423a31a007
SHA512bfa206a5b14313d7cf87b508aab7f352a49b6253209473c52bd9ba44e71088c30950a009e680fd1df1bd65c281fb4c7e49197d8a5956fbc1eb2092c393a84a84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535ce9d51c2ead47fdb2ab8c9b98a66f7
SHA1e623e05a16db49db5ad8334ffb7269f9785f5523
SHA2566b56096d32650133a800453b76beb24e61c74e33f126c5bfa1af87efb67a9db2
SHA512ff098d8bc521cc0bd8cc6c73b22ab67b668628821990f3e9d93e122b5b97069f490140e3ccd1e013b2ac33d46f556da55e9460a9ae4d171d52641376282d2917
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7bdf10e4794663f9ca36750c61b8177
SHA16b4ac055ddebee251cc1a46b659b8951181e1934
SHA25662182df761a28b11173d2c4cede7ca8f0eabdcb86d45be7f5e26318e0be102db
SHA5122896ee06df9b43c596818ee4accdb9e6a145ca508ff2cca9c0c13dfdf593bab8173ebd633e691942c39c8197efd76289d062719dd701e6f910220660e240dc5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5614a676a0b79c2b9b1d229b10973d0f5
SHA198744d7c06669ae4e80c003dad157751d9f8a154
SHA256a1007a4574266b7b17d5a0960efe2d3d655e9417785d507ceeb237a83cce9f5a
SHA512c0d2598ac2d36d502ae6a918d67ef0a936dfe43c07214db58db07d0826566946e46559d78bb0e82f9dcd1f0d9c697a96290b9b9fd804c4ac460f2d825c60d859
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2d668d485ddd3d330f112a787e17b77
SHA1ef6b110dd571afe1effdf795bb4a184f1bde70c0
SHA2566ace8f4ffd94e40c4a6200867cf7228d5e1618c9f274a75b52a27fbdf52d8f2e
SHA512a4b278874d6e0a16223da3f290e817f81dbab9675a58fcec3992bdbed04383e9f8787727aebf161ee9c2a11153cccbf02f5d709a2c915d49fd08bd166c1ffb2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5402c9795775d198be9b393b78fb5c301
SHA1e82a69a12d8c3193a3c887f68053ea6e5286d068
SHA256a534a5197abaea893646da10fce9c5906fb0a26d60827d9deff8f05f9cf457f9
SHA512b010070cdb7d331493aa7c097c3171092cf4ba967ef7462fadd898683aa5189051726435674ce2cb6701e6891a43316e70c83f600e8ef33661e323049cdd3093
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5179721a7c1fb074e97325d61bd178d9c
SHA1bc4102cdf02f17677d86b30d50e9bcc98e33bf25
SHA256360d8cc96016eb54b1cc1768c60f6b0e3e0df294369d18bf179c8226f4963517
SHA512c191e11b5866863cb3fb36608e7bb2e0eb3f836b8f059cf1901412f8a97a89b6cad89e01efba103d8b82337ce1b941dde38cccdfbed245f5255179196cc80730
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be2af73e165e7f0d0a20326ae06452e4
SHA12fa1d039ff8631e13c91236008d31315b7d7e4fa
SHA256c94cc05867428940c70c5ca3da5b244a552f03392ce94d9bcc7c4dcae9aaa3bb
SHA512036a01f3ebf16f1a3da0dc9e68edf7258cb9a2f8fa37d8ca80fdbaceef05370fdb1bfcb10c4ca3f32f424573430f250ebd2062b2f68bb692ab0609f83add9b64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eaa7a4a48d4b98f753321edb220a87eb
SHA16015044c2f8db52c0d91aea8b4de5c8037adb6eb
SHA2566a7dce2dff0f388dfd8a1a5875f041592d3d41beb14ecc1c29d7f01dd924fe63
SHA51283c907c382ff359aa7d192f07e983e3cd0b15478872136fcf926f23897ec0c886e5259eab4f475c01ee9fb4bcedc516e9bc9e1b6805d997288e208b75e309570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c88606d7dd5d3121a69c34ab1da4705c
SHA126386808b872507ec5b0446cbb273f46c618875a
SHA256bf1f006d1feca6327f786a42437c1cd969d11db96a25420436207b87485e593a
SHA5129cfaf1db4e8e0d91248b59989ed52ca40cefbc9fec33e6de7a11480227f3958219640dc52050c1c7f6e1040ac0f4834dfed85e63086ed220305d4e683d4f4b3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebd4c092b1d088860db7e425be0f6a90
SHA14258654cd1e8db399db70e3cb284d87cf32c7ca1
SHA256e3918ca3e27f9af1decbd87c166ec44e4590a7ebb36e041e066f289c38527af7
SHA512e52fb1327ed2959a3eb18c310d67c365f66749391a97726df3e2b1bed0c425f21949e8bc71f79ac1ae312745f6772f04389f88981a724f9d1ebd70ac1e20644d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec0747369562efb8d8959fd23f8ac051
SHA1fb6258aac9b14060b47c65bb638bcf8068fe39fe
SHA256128faf5ff41b8d7a7fc16e5594ae41cca23ba47d590e27ac624d5af24388852b
SHA512e1d125933f29297f4ce073fe6e4d8ff59aefaf118ee41b77fc665f6f7d45073b0151e008da12013aac0e8075236a23044e25891839c6a64c3ad3aa584c4e88db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a5e55e175ee8118eb9e8d5498371042
SHA15a602857aae91a492980b27eb74bb4f5832dc8c8
SHA256ec804455635e210b9fc6ddeb801b92e258f002063034ace1ddee953306df301a
SHA51266b478f065e8ee83322650ad748bc5f7d1ff60e39b9a17e0a857d5aa72b11e4f441642e9ef96bb7387147dd0fd00f7659dabb022bae290d4eb7abd6baa7f8392
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51125843e8c702a04fd9fa41536933721
SHA19576c8965431bb430a49c138b4b76b623431c2ac
SHA256fdc3b7d38a606b921b372e33b29a44c7972bda2f25ee84f88eab7feb76652df5
SHA51265075268f75b2d8bf6f57b0df8f9e1848843dc122067a3f7b5d2cdaaf3f7ed0db548676cb5340f621e80cec58d54c8c4628edf7a819aa8369d0f8dfa5fe396e0
-
Filesize
398B
MD51986531c07cb31fdd5b21f2b6152336b
SHA119ced48b63e5fb5b20707349f2d6688a02caac56
SHA256f0dcdfa3eb2ed159cef34f6716ffaf4cd8f8f17b0fce5bfcd54b31b6e03371f0
SHA51245c8102a62e651bb548f63aeff583b72ba38c25567b06612959509d791dbba8064e8f36db383e77e0bc49745e8366ba8cd06845882c8ae48deb11969c7197b64
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
1KB
MD58a8b57e816e9d652bd96849f8e64a753
SHA178a81ae72bc1e7f7ba0d42661d7e2d96e9cc5069
SHA25632b20fbffdcff95e0db99983ab73d2b96a9b7518a569e28a14c1420013b50d43
SHA51245e672278867dff27c9f6667b70ab2950652897735a789cd3d5b982ee6b5356928421e0f81d086ef877b643470c7d9296a9dad59969f78b9f45ed6c587f5a68d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\favicon[1].ico
Filesize1KB
MD58e39f067cc4f41898ef342843171d58a
SHA1ab19e81ce8ccb35b81bf2600d85c659e78e5c880
SHA256872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd
SHA51247cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
444KB
MD538e6a371b9b49ac702d736ce075720cf
SHA1fc45fe7359a82b3dac083d7e7db8a81f8d4f3d43
SHA256a043fa5ebafa40a931a1efcb3addf8e9a6e15c964d5fb3621a19640305e46e9c
SHA512f4f37c236059ca103177a7afc896a9753a416d0cf9b1f47874aa25a2beafbf7a2b359091cac29fa33588532f2ca809b8d1c78ce6532cf7516ad23501520d0fd4
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4.0MB
MD5d1f66e48b6142bc32afbb7c3643f95cf
SHA1d25c69dfb6636dec0b3785e976d95abee5dbd75d
SHA256f30235dde35a1e71d2885f6f84adaa6a16214692e984211c64d1ad7b5adc10a8
SHA5129a2be6d06914c9f02f40581e65246ea80dbacbafca8bc9343bf5c09f5544c1024d39a3af91ff0cad898d0217b0fdf993fa25db1e781a0a05aa1f469791552b17
-
Filesize
27B
MD5b6d7b2fd5e3c8f474280e1ba4204842e
SHA12d4a6cf418bbbaaa62b1e1aaa83a093046a925cb
SHA256f26d4068d07f5b1b1f49c33611cbc27a7faba8936e71b6c90911e160d5489c11
SHA512e3cbd02b67d6de805e3083492fbf4339537b9f164f10bbfea24b29f2e527eb486992d56f53d111dc07f9ac68f343b90617f985d3462b4845511cab1f9fc1131e
-
Filesize
222B
MD508dc32b1d4cdcf5a2f704fc5ceabe2b7
SHA1d166caaed25c6f0660bcadb4d914d2ca37338bd3
SHA256afded55b6d7bd3c7971283d1483a1f678f9898744ce8de8d2e2338a52042cf9d
SHA5128f5588dc392d9b23a7306a8196727364ddcece8f8df6ebf77a3230796119f0be4957d724936f589ec95a41e2ce5c3f596d6191bcac1c7ac84e3afa5b6aca5051
-
Filesize
444KB
MD5be47c79de361e8b5c036c6a025c5244b
SHA1d68fa5f0de905e6ec474e7232da445bcdefc7c2c
SHA2567775fde3daf8cf53361e33c23addc126dc1f3e9ddd9c4cf587a0e755e680086c
SHA512aead9390e3ed14315cbd5d27022f3c4f9a396da3a1547db598f6258f62377c5836bb0f93d970c25a075950904732f753797856981baf52cf901e4c26c8c9afcf