Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 01:04
Behavioral task
behavioral1
Sample
658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
658988f2b817b216bc2e5d6fc4a2d189
-
SHA1
6bddb74ac5f44bf9576e07894209e27cdf41600f
-
SHA256
0f75723047e0c8fcd31f2c51ecf0ec3b920fa39ebaa2c9ab2c38a33c3e6878c8
-
SHA512
c45223591741115ae827470cdd1c26c635ebe50b883e0917fe40e1b4ffe62d41691eebb977acbcbb434b4b1647ab5fb1af0ad9d28cc1eccd5df2a493c36baf9c
-
SSDEEP
24576:nfRTV3CBOQb5NsrsdBauN7+mj2SS+Ha5dUuT:ZTV3CBOGba8So7S+HaYq
Malware Config
Extracted
darkcomet
defeult
someonei.zapto.org:1604
DC_MUTEX-84ZPHN0
-
InstallPath
MSDCSC\crss.exe
-
gencode
jdDHAcgEiQiK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
crss
Signatures
-
Modifies WinLogon for persistence 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe -
Drops file in Drivers directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe -
Deletes itself 1 IoCs
pid Process 1296 notepad.exe -
Executes dropped EXE 20 IoCs
pid Process 2764 crss.exe 320 crss.exe 2228 crss.exe 2012 crss.exe 2632 crss.exe 2560 crss.exe 1880 crss.exe 1164 crss.exe 3068 crss.exe 2916 crss.exe 2616 crss.exe 1288 crss.exe 1824 crss.exe 2504 crss.exe 2632 crss.exe 2152 crss.exe 632 crss.exe 1628 crss.exe 2852 crss.exe 1372 crss.exe -
Identifies Wine through registry keys 2 TTPs 21 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine crss.exe -
Loads dropped DLL 40 IoCs
pid Process 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 2764 crss.exe 2764 crss.exe 320 crss.exe 320 crss.exe 2228 crss.exe 2228 crss.exe 2012 crss.exe 2012 crss.exe 2632 crss.exe 2632 crss.exe 2560 crss.exe 2560 crss.exe 1880 crss.exe 1880 crss.exe 1164 crss.exe 1164 crss.exe 3068 crss.exe 3068 crss.exe 2916 crss.exe 2916 crss.exe 2616 crss.exe 2616 crss.exe 1288 crss.exe 1288 crss.exe 1824 crss.exe 1824 crss.exe 2504 crss.exe 2504 crss.exe 2632 crss.exe 2632 crss.exe 2152 crss.exe 2152 crss.exe 632 crss.exe 632 crss.exe 1628 crss.exe 1628 crss.exe 2852 crss.exe 2852 crss.exe -
resource yara_rule behavioral1/memory/2108-0-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2108-22-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2108-5-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/files/0x00080000000162d8-24.dat themida behavioral1/memory/2764-34-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/320-81-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2764-80-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2228-128-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/320-126-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2228-172-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2012-218-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2632-220-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2632-265-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1880-312-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2560-309-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1164-358-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1880-356-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/3068-405-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1164-404-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/3068-448-0x0000000006DC0000-0x0000000007028000-memory.dmp themida behavioral1/memory/2916-451-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2916-498-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/2616-543-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1288-545-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1288-585-0x0000000006E30000-0x0000000007098000-memory.dmp themida behavioral1/memory/1824-589-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/3068-588-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1288-586-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1824-630-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral1/memory/1824-629-0x0000000006DC0000-0x0000000007028000-memory.dmp themida -
Adds Run key to start application 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 2764 crss.exe 320 crss.exe 2228 crss.exe 2012 crss.exe 2632 crss.exe 2560 crss.exe 1880 crss.exe 1164 crss.exe 3068 crss.exe 2916 crss.exe 2616 crss.exe 1288 crss.exe 1824 crss.exe 2504 crss.exe 2632 crss.exe 2152 crss.exe 632 crss.exe 1628 crss.exe 2852 crss.exe 1372 crss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 2764 crss.exe 320 crss.exe 2228 crss.exe 2012 crss.exe 2632 crss.exe 2560 crss.exe 1880 crss.exe 1164 crss.exe 3068 crss.exe 2916 crss.exe 2616 crss.exe 1288 crss.exe 1824 crss.exe 2504 crss.exe 2632 crss.exe 2152 crss.exe 632 crss.exe 1628 crss.exe 2852 crss.exe 1372 crss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSecurityPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSystemtimePrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeBackupPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeRestorePrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeShutdownPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeDebugPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeUndockPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeManageVolumePrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeImpersonatePrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 33 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 34 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 35 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2764 crss.exe Token: SeSecurityPrivilege 2764 crss.exe Token: SeTakeOwnershipPrivilege 2764 crss.exe Token: SeLoadDriverPrivilege 2764 crss.exe Token: SeSystemProfilePrivilege 2764 crss.exe Token: SeSystemtimePrivilege 2764 crss.exe Token: SeProfSingleProcessPrivilege 2764 crss.exe Token: SeIncBasePriorityPrivilege 2764 crss.exe Token: SeCreatePagefilePrivilege 2764 crss.exe Token: SeBackupPrivilege 2764 crss.exe Token: SeRestorePrivilege 2764 crss.exe Token: SeShutdownPrivilege 2764 crss.exe Token: SeDebugPrivilege 2764 crss.exe Token: SeSystemEnvironmentPrivilege 2764 crss.exe Token: SeChangeNotifyPrivilege 2764 crss.exe Token: SeRemoteShutdownPrivilege 2764 crss.exe Token: SeUndockPrivilege 2764 crss.exe Token: SeManageVolumePrivilege 2764 crss.exe Token: SeImpersonatePrivilege 2764 crss.exe Token: SeCreateGlobalPrivilege 2764 crss.exe Token: 33 2764 crss.exe Token: 34 2764 crss.exe Token: 35 2764 crss.exe Token: SeIncreaseQuotaPrivilege 320 crss.exe Token: SeSecurityPrivilege 320 crss.exe Token: SeTakeOwnershipPrivilege 320 crss.exe Token: SeLoadDriverPrivilege 320 crss.exe Token: SeSystemProfilePrivilege 320 crss.exe Token: SeSystemtimePrivilege 320 crss.exe Token: SeProfSingleProcessPrivilege 320 crss.exe Token: SeIncBasePriorityPrivilege 320 crss.exe Token: SeCreatePagefilePrivilege 320 crss.exe Token: SeBackupPrivilege 320 crss.exe Token: SeRestorePrivilege 320 crss.exe Token: SeShutdownPrivilege 320 crss.exe Token: SeDebugPrivilege 320 crss.exe Token: SeSystemEnvironmentPrivilege 320 crss.exe Token: SeChangeNotifyPrivilege 320 crss.exe Token: SeRemoteShutdownPrivilege 320 crss.exe Token: SeUndockPrivilege 320 crss.exe Token: SeManageVolumePrivilege 320 crss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1296 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2764 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 31 PID 2108 wrote to memory of 2764 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 31 PID 2108 wrote to memory of 2764 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 31 PID 2108 wrote to memory of 2764 2108 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 31 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 2956 2764 crss.exe 32 PID 2764 wrote to memory of 320 2764 crss.exe 33 PID 2764 wrote to memory of 320 2764 crss.exe 33 PID 2764 wrote to memory of 320 2764 crss.exe 33 PID 2764 wrote to memory of 320 2764 crss.exe 33 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 1760 320 crss.exe 34 PID 320 wrote to memory of 2228 320 crss.exe 35 PID 320 wrote to memory of 2228 320 crss.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
PID:1296
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2956
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:1760
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2228 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:1560
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"5⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:1596
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵PID:760
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"7⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵PID:1308
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"8⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1880 -
C:\Windows\SysWOW64\notepad.exenotepad9⤵PID:1812
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"9⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1164 -
C:\Windows\SysWOW64\notepad.exenotepad10⤵PID:1644
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"10⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\notepad.exenotepad11⤵PID:2336
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"11⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Windows\SysWOW64\notepad.exenotepad12⤵PID:2844
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"12⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\notepad.exenotepad13⤵PID:1784
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"13⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1288 -
C:\Windows\SysWOW64\notepad.exenotepad14⤵PID:2944
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"14⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1824 -
C:\Windows\SysWOW64\notepad.exenotepad15⤵PID:696
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"15⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\notepad.exenotepad16⤵PID:3012
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"16⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Windows\SysWOW64\notepad.exenotepad17⤵PID:1728
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"17⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\SysWOW64\notepad.exenotepad18⤵PID:872
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"18⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:632 -
C:\Windows\SysWOW64\notepad.exenotepad19⤵PID:2960
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"19⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\notepad.exenotepad20⤵PID:2780
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"20⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\notepad.exenotepad21⤵PID:2656
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"21⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1372 -
C:\Windows\SysWOW64\notepad.exenotepad22⤵PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39B
MD5857b6bb99a59c5b78f9dd2b9c2dc31e5
SHA105a01f96173511d1a25fb77f06e4d5f99b9f7c48
SHA256f54f3c669bd072ba2107b0ea6233de465dd283f8c50f47e662729c766fb644ac
SHA512047ff5edecc5c31661e540fc5e84616ba2f841482237336fb228887eb8cfabf696f663cf0da8762337e17b97f76688c64454793afc9ffb4a4e6cb005d795f68b
-
Filesize
1.2MB
MD5658988f2b817b216bc2e5d6fc4a2d189
SHA16bddb74ac5f44bf9576e07894209e27cdf41600f
SHA2560f75723047e0c8fcd31f2c51ecf0ec3b920fa39ebaa2c9ab2c38a33c3e6878c8
SHA512c45223591741115ae827470cdd1c26c635ebe50b883e0917fe40e1b4ffe62d41691eebb977acbcbb434b4b1647ab5fb1af0ad9d28cc1eccd5df2a493c36baf9c