Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 01:04
Behavioral task
behavioral1
Sample
658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
658988f2b817b216bc2e5d6fc4a2d189
-
SHA1
6bddb74ac5f44bf9576e07894209e27cdf41600f
-
SHA256
0f75723047e0c8fcd31f2c51ecf0ec3b920fa39ebaa2c9ab2c38a33c3e6878c8
-
SHA512
c45223591741115ae827470cdd1c26c635ebe50b883e0917fe40e1b4ffe62d41691eebb977acbcbb434b4b1647ab5fb1af0ad9d28cc1eccd5df2a493c36baf9c
-
SSDEEP
24576:nfRTV3CBOQb5NsrsdBauN7+mj2SS+Ha5dUuT:ZTV3CBOGba8So7S+HaYq
Malware Config
Extracted
darkcomet
defeult
someonei.zapto.org:1604
DC_MUTEX-84ZPHN0
-
InstallPath
MSDCSC\crss.exe
-
gencode
jdDHAcgEiQiK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
crss
Signatures
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe,C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe -
Drops file in Drivers directory 19 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts crss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 19 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation crss.exe -
Deletes itself 1 IoCs
pid Process 1360 notepad.exe -
Executes dropped EXE 18 IoCs
pid Process 4756 crss.exe 4588 crss.exe 4408 crss.exe 4920 crss.exe 1668 crss.exe 1168 crss.exe 4500 crss.exe 912 crss.exe 1204 crss.exe 2432 crss.exe 1948 crss.exe 4624 crss.exe 4852 crss.exe 4580 crss.exe 2492 crss.exe 4416 crss.exe 1576 crss.exe 4480 crss.exe -
Identifies Wine through registry keys 2 TTPs 19 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine crss.exe -
resource yara_rule behavioral2/memory/3756-0-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/3756-2-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/3756-7-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/3756-8-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/files/0x0007000000023452-11.dat themida behavioral2/memory/4756-68-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4756-71-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4756-70-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4756-77-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4588-137-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4588-203-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4408-204-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4920-270-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4408-269-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4920-336-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1668-337-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1168-404-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1668-403-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1168-470-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4500-536-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/912-537-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/912-603-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1204-604-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1204-669-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1948-737-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/2432-736-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1948-802-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4624-868-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4852-869-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4852-935-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4580-936-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4580-1002-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/2492-1068-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4416-1135-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1576-1133-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/1576-1198-0x0000000000400000-0x0000000000668000-memory.dmp themida behavioral2/memory/4480-1210-0x0000000000400000-0x0000000000668000-memory.dmp themida -
Adds Run key to start application 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\jdDHAcgEiQiK\\jdDHAcgEiQiK\\crss.exe" crss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss = "C:\\Windows\\system32\\MSDCSC\\crss.exe" crss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\ crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\crss.exe 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe File created C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe crss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
pid Process 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 4756 crss.exe 4588 crss.exe 4408 crss.exe 4920 crss.exe 1668 crss.exe 1168 crss.exe 4500 crss.exe 912 crss.exe 1204 crss.exe 2432 crss.exe 1948 crss.exe 4624 crss.exe 4852 crss.exe 4580 crss.exe 2492 crss.exe 4416 crss.exe 1576 crss.exe 4480 crss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ crss.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 4756 crss.exe 4756 crss.exe 4588 crss.exe 4588 crss.exe 4408 crss.exe 4408 crss.exe 4920 crss.exe 4920 crss.exe 1668 crss.exe 1668 crss.exe 1168 crss.exe 1168 crss.exe 4500 crss.exe 4500 crss.exe 912 crss.exe 912 crss.exe 1204 crss.exe 1204 crss.exe 2432 crss.exe 2432 crss.exe 1948 crss.exe 1948 crss.exe 4624 crss.exe 4624 crss.exe 4852 crss.exe 4852 crss.exe 4580 crss.exe 4580 crss.exe 2492 crss.exe 2492 crss.exe 4416 crss.exe 4416 crss.exe 1576 crss.exe 1576 crss.exe 4480 crss.exe 4480 crss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSecurityPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSystemtimePrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeBackupPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeRestorePrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeShutdownPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeDebugPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeUndockPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeManageVolumePrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeImpersonatePrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 33 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 34 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 35 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: 36 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4756 crss.exe Token: SeSecurityPrivilege 4756 crss.exe Token: SeTakeOwnershipPrivilege 4756 crss.exe Token: SeLoadDriverPrivilege 4756 crss.exe Token: SeSystemProfilePrivilege 4756 crss.exe Token: SeSystemtimePrivilege 4756 crss.exe Token: SeProfSingleProcessPrivilege 4756 crss.exe Token: SeIncBasePriorityPrivilege 4756 crss.exe Token: SeCreatePagefilePrivilege 4756 crss.exe Token: SeBackupPrivilege 4756 crss.exe Token: SeRestorePrivilege 4756 crss.exe Token: SeShutdownPrivilege 4756 crss.exe Token: SeDebugPrivilege 4756 crss.exe Token: SeSystemEnvironmentPrivilege 4756 crss.exe Token: SeChangeNotifyPrivilege 4756 crss.exe Token: SeRemoteShutdownPrivilege 4756 crss.exe Token: SeUndockPrivilege 4756 crss.exe Token: SeManageVolumePrivilege 4756 crss.exe Token: SeImpersonatePrivilege 4756 crss.exe Token: SeCreateGlobalPrivilege 4756 crss.exe Token: 33 4756 crss.exe Token: 34 4756 crss.exe Token: 35 4756 crss.exe Token: 36 4756 crss.exe Token: SeIncreaseQuotaPrivilege 4588 crss.exe Token: SeSecurityPrivilege 4588 crss.exe Token: SeTakeOwnershipPrivilege 4588 crss.exe Token: SeLoadDriverPrivilege 4588 crss.exe Token: SeSystemProfilePrivilege 4588 crss.exe Token: SeSystemtimePrivilege 4588 crss.exe Token: SeProfSingleProcessPrivilege 4588 crss.exe Token: SeIncBasePriorityPrivilege 4588 crss.exe Token: SeCreatePagefilePrivilege 4588 crss.exe Token: SeBackupPrivilege 4588 crss.exe Token: SeRestorePrivilege 4588 crss.exe Token: SeShutdownPrivilege 4588 crss.exe Token: SeDebugPrivilege 4588 crss.exe Token: SeSystemEnvironmentPrivilege 4588 crss.exe Token: SeChangeNotifyPrivilege 4588 crss.exe Token: SeRemoteShutdownPrivilege 4588 crss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 1360 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 86 PID 3756 wrote to memory of 4756 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 87 PID 3756 wrote to memory of 4756 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 87 PID 3756 wrote to memory of 4756 3756 658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe 87 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4692 4756 crss.exe 89 PID 4756 wrote to memory of 4588 4756 crss.exe 90 PID 4756 wrote to memory of 4588 4756 crss.exe 90 PID 4756 wrote to memory of 4588 4756 crss.exe 90 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 2796 4588 crss.exe 91 PID 4588 wrote to memory of 4408 4588 crss.exe 92 PID 4588 wrote to memory of 4408 4588 crss.exe 92 PID 4588 wrote to memory of 4408 4588 crss.exe 92 PID 4408 wrote to memory of 4964 4408 crss.exe 93 PID 4408 wrote to memory of 4964 4408 crss.exe 93 PID 4408 wrote to memory of 4964 4408 crss.exe 93 PID 4408 wrote to memory of 4964 4408 crss.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\658988f2b817b216bc2e5d6fc4a2d189_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
PID:1360
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4692
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:2796
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:4964
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"5⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:4048
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1668 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵PID:3936
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"7⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1168 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵PID:2796
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"8⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\Windows\SysWOW64\notepad.exenotepad9⤵PID:4984
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"9⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:912 -
C:\Windows\SysWOW64\notepad.exenotepad10⤵PID:4636
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"10⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1204 -
C:\Windows\SysWOW64\notepad.exenotepad11⤵PID:2516
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"11⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2432 -
C:\Windows\SysWOW64\notepad.exenotepad12⤵PID:1420
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"12⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1948 -
C:\Windows\SysWOW64\notepad.exenotepad13⤵PID:3284
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"13⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4624 -
C:\Windows\SysWOW64\notepad.exenotepad14⤵PID:1148
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"14⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4852 -
C:\Windows\SysWOW64\notepad.exenotepad15⤵PID:4348
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"15⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4580 -
C:\Windows\SysWOW64\notepad.exenotepad16⤵PID:2420
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"16⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2492 -
C:\Windows\SysWOW64\notepad.exenotepad17⤵PID:1632
-
-
C:\Windows\SysWOW64\MSDCSC\crss.exe"C:\Windows\system32\MSDCSC\crss.exe"17⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4416 -
C:\Windows\SysWOW64\notepad.exenotepad18⤵PID:2472
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\crss.exe"18⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\SysWOW64\notepad.exenotepad19⤵PID:752
-
-
C:\Windows\SysWOW64\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"C:\Windows\system32\MSDCSC\jdDHAcgEiQiK\jdDHAcgEiQiK\crss.exe"19⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4480 -
C:\Windows\SysWOW64\notepad.exenotepad20⤵PID:4032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5658988f2b817b216bc2e5d6fc4a2d189
SHA16bddb74ac5f44bf9576e07894209e27cdf41600f
SHA2560f75723047e0c8fcd31f2c51ecf0ec3b920fa39ebaa2c9ab2c38a33c3e6878c8
SHA512c45223591741115ae827470cdd1c26c635ebe50b883e0917fe40e1b4ffe62d41691eebb977acbcbb434b4b1647ab5fb1af0ad9d28cc1eccd5df2a493c36baf9c
-
Filesize
39B
MD5857b6bb99a59c5b78f9dd2b9c2dc31e5
SHA105a01f96173511d1a25fb77f06e4d5f99b9f7c48
SHA256f54f3c669bd072ba2107b0ea6233de465dd283f8c50f47e662729c766fb644ac
SHA512047ff5edecc5c31661e540fc5e84616ba2f841482237336fb228887eb8cfabf696f663cf0da8762337e17b97f76688c64454793afc9ffb4a4e6cb005d795f68b