9a95f50c47ba44bdad1ee0b8206e2deed2b27f393b1a6a823cc564d39347b4a3

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Size

392KB
MD5

721e313563d9fa3414168c5a4725260c
SHA1

007a1d4392e0ca186cb5f6bf8e53487e64419a5e
SHA256

9a95f50c47ba44bdad1ee0b8206e2deed2b27f393b1a6a823cc564d39347b4a3
SHA512

2f26c1e33fdbf90228a7a4f93e2c7434483346272fad7a2225f8a78f6d6e7c80f928bf52db4e8ac16278e41582b82e7bfcaa62cacbe930dab9f20fc5362b9c30
SSDEEP

6144:zAUBbv2Q1JbLxgEb3pzFjqai1mlWYR6W7ndw/BOU06o0XmL:cU5jqai1mlxoadwJOJ/0X6

Score

10^/10

bootkit discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe:*:Enabled:Java developer Script Browse"	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe = "C:\\Windows\\jusched.exe:*:Enabled:Java developer Script Browse"	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2684	netsh.exe
1656	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2576	jusched.exe
2216	jusched.exe
2344	jusched.exe
1692	jusched.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse = "C:\\Windows\\jusched.exe"	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse = "C:\\Windows\\jusched.exe"	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	jusched.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2924 set thread context of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2820 set thread context of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2576 set thread context of 2216	2576	jusched.exe	39
PID 2216 set thread context of 2344	2216	jusched.exe	40
PID 2344 set thread context of 1692	2344	jusched.exe	41

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\jusched.exb	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
File opened for modification	C:\Windows\jusched.exe	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
File created	C:\Windows\jusched.exe	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
File opened for modification	C:\Windows\mdll.dl	jusched.exe
File opened for modification	C:\Windows\mtdll.dl	jusched.exe
File opened for modification	C:\Windows\jusched.exe	jusched.exe
File created	C:\Windows\jusched.exb	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1716	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A8233D1-4AF3-11EF-B6F1-C644C3EA32BD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428121293"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000b45be56127d1243357b9ae622773d6b9d5e6c869bf51b17efe7ee314524e3f4b000000000e8000000002000020000000017d1845581a18c113a41ef179ad3ead78734329887efe43cc0c53ed5861188b9000000007f5c1fab2306b8b9a93037591d2830aa1024d6a3a7c6672d8b794e58592caa6bcc4e8f77de41c8c945ed4ee698936d46bc1afb0d46b039c7d353c85ff4902fa31558aa432c5483ddfec400d8308c6312531ae706250b81047a63b8e07e4eb796affd79d1394e22e93cb3844d750b79efe83da5a0f0e6897e34e63559483cfcf30ccc624aa98fdbf30f827a50f9108a84000000027c0fe383e8e858d15e7e093ab2166d64761fdd5552ee4e9e05a2b6148af3a79886b00296abb0edc2a8a767eb8ea594f0fe908970f81a30123a7a6acdfccd9c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d9909000000000200000000001066000000010000200000008ab10f688dec028ea7d6a122855d0d2e5987d6e9f855c40f64c22ee102f0c602000000000e8000000002000020000000b9e16207ef721f4c73ae3b71c7d4a3c33f020e93286aff9cc1eee2219abde96a200000009168128c070e140848c0b17e6004d281b22eede8c868f35443c3caf40f826b074000000092608682d59d888bb23b80e357b5c0e78a21c2bc1b54e508a7ae1b22ee2ddb22b3e10c7f40703a0ae0c094bb2c07fb6858f6a4374b3e52ca384e6a07204b9150	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e1d62300dfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
2576	jusched.exe
2556	iexplore.exe
2556	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2216	jusched.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2924	2088	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	30
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2820	2924	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2164	2820	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2684	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2684	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2684	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2684	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2576	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	34
PID 2164 wrote to memory of 2576	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	34
PID 2164 wrote to memory of 2576	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	34
PID 2164 wrote to memory of 2576	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	34
PID 2164 wrote to memory of 2560	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	35
PID 2164 wrote to memory of 2560	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	35
PID 2164 wrote to memory of 2560	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	35
PID 2164 wrote to memory of 2560	2164	721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe	35
PID 2736 wrote to memory of 2556	2736	explorer.exe	37
PID 2736 wrote to memory of 2556	2736	explorer.exe	37
PID 2736 wrote to memory of 2556	2736	explorer.exe	37
PID 2556 wrote to memory of 2920	2556	iexplore.exe	38
PID 2556 wrote to memory of 2920	2556	iexplore.exe	38
PID 2556 wrote to memory of 2920	2556	iexplore.exe	38
PID 2556 wrote to memory of 2920	2556	iexplore.exe	38
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2576 wrote to memory of 2216	2576	jusched.exe	39
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2216 wrote to memory of 2344	2216	jusched.exe	40
PID 2344 wrote to memory of 1692	2344	jusched.exe	41
PID 2344 wrote to memory of 1692	2344	jusched.exe	41
PID 2344 wrote to memory of 1692	2344	jusched.exe	41

C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\721e313563d9fa3414168c5a4725260c_JaffaCakes118.exe
      4⤵
      Modifies firewall policy service
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - C:\Windows\jusched.exe
        
        "C:\Windows\jusched.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\jusched.exe
        
        "C:\Windows\jusched.exe"
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\jusched.exe
        
        "C:\Windows\jusched.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\jusched.exe
        
        C:\Windows\jusched.exe
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1716
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8cc05c930aa2c80e19971f995601b46

SHA1
e09215347487e29b3e09eeae267512589391773a

SHA256
58e4f2d46993d53eae56431d78352d9a2fcd6e485cabfc9f13f0d33d6c1fad9e

SHA512
70f878f880ed669ad195167df4ae85ee4514c3d550d0e4bf01284ab7840e054ff68af5309dd17c5acff3e89751eec81ca4bcf2324a176cea25d86efb3e8dc863

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a81ff7bf883df9bd73e57d272bc16b8

SHA1
16456c39b4a5a893ba922e90e7ef00752da67a31

SHA256
1b9998a03195fa4a6718876df17520a0c3b62a42bedb2c4eae6bd2f220935e4f

SHA512
a969cb6d56c5d3e6e6d67d114d712f1b97ce56d85ad9be81bbe03e52358e65dc83a8eb9ff4554e0558e24c3c89c4c601e0ce66495c36b9da6dcf431e4851c328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b5f78f1517c12c36bedebd782d3732e

SHA1
5b04ce7c1b5b29c7c02ec7996af0d600a39f721d

SHA256
ff839409084ccaa3d10b7bf84043e0da00b598dc4462451f045a3d69290b3b0d

SHA512
5ad62762e7e2a6637c05191c64d3f77f80f9507b074110419deb408368488618ed329bec02fbbc347fbb7c29ed5bc6d36ac19969540f77c2bb6110cd35dd096c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc8029104ee8058a5025a27c498bc1d7

SHA1
b5318d064adba77c5c67a9d6ab2756b56dae2e6d

SHA256
4928cfb0d9195dca65f07bc3ea2824e5fa9f24fa84fc0b8f1fe3551700ccf957

SHA512
9e853c68b3bef04b789095f3cb9388ba3675e0032acf1369c584bd54b84bf631449d1ffddeb0600614c99ce3ca845b6b3f2347661c7bb8e6d3f6622e52bbd3d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d843256c811a1b38846501209207e53

SHA1
1f336ae3fafa0b0049747c92e4683fc462be0799

SHA256
cc7c80964f05e8670070e1af7363d4fe8af5462f89266420b3222e70df2cf3d1

SHA512
f7d61ebf47a471d0c712d07e1de727096d5cd9794e7cedf38963e5d4fe35ca24e60b2252b7cdf37efabe77d1a86148eeb2f5b5cdbd3cd7d15f23294a7714adb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56bc9696c83e97276429af6a88771189

SHA1
c6bb85d95e3958abe4dbcccc4f8148e4f0399183

SHA256
a1d10a9527dd63f34a495934528dbb1ba348207cb625c61887bc253ddd849d63

SHA512
b518014d0b88b0887b7b06f66fe8583fcd354211b7a97f5f4f8477aea5049d5a956bfc3b2200b2138c76867bd6e8ad02f6183eee8523878c088303adc3db81e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84ce25f5625ba708a5e71865f9e818ba

SHA1
0ecca842a2ed3f927e5039cddbb50339f55e33d4

SHA256
b000444f1d8b07ea555c670499189c1771b974f214c02a38064bdfc15dfa2709

SHA512
60d4b75a5d2d305f3cc690d86e6aa33cc8cacd125f4b63822e3f7a6401f344d0ba03c4e565be4cc9a2acac6c6403941fbb8fe78b9a7bb1ade783b9e71414063c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec983b20196c3758e19977473cd40c4a

SHA1
3d4ec63b679de5570f8a87d893770d9b1e1e68f4

SHA256
229793f7147df7996d6335c878fff5c762a10e998695f9e8a36053d21db4c771

SHA512
afecbb4eadff9b552426920f398a66d99002d94b07b4a0473edcdcf6b2c99833718449314b643d8964e28a6df5e8c659200d4e6150a9e97834438a847b5f7261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65d4826bdc2952e0673ecf40da7553e7

SHA1
e038fc1bb97027ac6bc66e45c0d196f71dd6f847

SHA256
5c4d5e26488afcda58926c27eeff60b2ed6f9778a4d978a63355adc4888027a0

SHA512
8a88806c2a47e616cc90e16174288007b23edc9cf2f4bc7dc87dc40b5ded3e64d291589d97991ebfa17dccec005f25a3fd3dc2a3f274acee5feb9301ab2483f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
137d1716ab0bad16399c03ab007963da

SHA1
c743e3be3bffb7ecd04a2f4322fc72626e34de52

SHA256
dceff46513b3f23b2383356921ee7c58924b0ea6adbb0acbced4ece29fed81dc

SHA512
9cf0f65d85cfcfd75a2b4842769318cc17ad7b942f9ab0cbec65964e29429f0366306580f78229c1737e8037aafd37d792d819852433859279beb507ce44f522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d41d2c25de696d7bad91fcb761ba41

SHA1
c6904c36530da1506ceee5057f49a8c9d5cbe07b

SHA256
abdead08116f76d462f95580da25db4b5feccb4fbc8c1c76f772dc37432f90fb

SHA512
840eda459e5a7a59500194531d332c50c0f67db854b086efc022033676b568b27ee53d8fe617f30388b378ec6be16b54e4d4c4426fc02029fa4d574858d08fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5650fc190f3a239be640b036ba312e5e

SHA1
9cb5c1e66bb050742d1d96ec2586630bdc691443

SHA256
ad896f103dfb630d90e2a96c0a9d778fdea33f2307ee0cf433a275497b644b91

SHA512
5d78906a0a7a5dec699d604df13fa9a9dd2fe819cd94cbc97e24cf35e8685696ccc4dc3d01bc6cf5540e5ba66371b8d85a538c81ce2529b0eac3f5e1fb1e56b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d43c6433d7f29f79b00ec47f6b5f5c3e

SHA1
dfd07ee11d5a7a0de309a098fd8154e38ca6181c

SHA256
cfa97ae154b51b8f0580bf582004eaaba131d919f5120b3c14d0d39bccec2b5c

SHA512
fe89108d56480e5e38b8b13703dda9d07b408a8d57ad6f53d49c65190cbacb4c9118be474926cfdb24907eb2084010d291ca64d3a3024800c1f7e3e272be2cef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96083726fbbf18793736390041e30a3b

SHA1
c1be71f32a3021a088cf3f5f0d0e0655763b4abf

SHA256
d281071cbf6897ec4f266b796a553407513f2bf6a6991941f8905c7d4601d784

SHA512
352030076729303ea819ebba554225c78177786eab0e9046e4d482f1c433ac389166b5964c37539c4564f3747fba77cd5202b0d3a0eb8944a8d0dedbde3ef295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2e7096f67f8b8f50e7451a14598e4c5

SHA1
dc5622f72b746a84715c8b7ee3d6d761c2e866dd

SHA256
3bedc1ebf469f3a00914f007092c0efa18e10aebc9e06ea6a639ab93858e5503

SHA512
af03bbb8e082b7edfdf0482a75d1fac289d8bdb355877bbb19896c61a92fcc3afebe1dc9d7af2a894b794cade9b255ca061a80a1dfdf0937f548257c6a8a5b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74bae0f2d8fba3f68416c88303b0980c

SHA1
3709e9b0ebd6daaf6b4dd98160fa99e3b7c8d4cc

SHA256
d8f76517d55c1424cbc8629f5d32ea06df5a128f84015e6f6998a0aff1ce033d

SHA512
b06f753fa43c544567934e7bf198d811a026e1255b4f6481d93abe5d52c8e9d3a169778bbff513b6f66d47d9c32ce44ecbc1953a683390b5bc48bfead4115694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3b66828a4aa39bb5a44ca636c3cc091

SHA1
71bc639a9174ae1f61dfb60eb31ad82bc1cd5a50

SHA256
d98d80260740474bf324573e2601cfb25e741f1cfa60e1cdf569e3887eb7f612

SHA512
96210978b68f749891173811711460359e7615edf2b00ed71ab3ceec37415e46e29858971c9f881998ff36028cab9076f1b408f94723fde14849e3e97aaadb9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd55b09c991bb09bf624542adbff3b21

SHA1
c0836f530899be976287b9bd0696ea2784ffdc0c

SHA256
e0c7b75304f5f2de9a1cb8d34fe144e05570f4e6fc272ad6518f86fe4c0adbe7

SHA512
5b7dd4a68eb5915f207c2d1c6b444a214b008206cea062099faf78c3f623208edbf79d0bc6c889c121c3c7979740653a5c47872a132dfc6ad00d7f9953f5e26b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e757a33723a6e9ff192637da53f7f78b

SHA1
0c640d1af4fe7ff23ed664bb2d1a93a9fe1cd137

SHA256
c73d200a312f32356743d7ee81b903cd603cf1bda9b82b8921b9a681b8f0d0a2

SHA512
e2b0db6358e192d22f955ec1bd73ee7713ba162f0a79b659d3f3ec42cab381d84bdb620fff570ec2416bb65d2cdaf2939d9f5eed12b5d69cba0c5dbf3f968ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ae882d43b2929834a9a062e1ca82cf7

SHA1
bd8b93cb6149507abe5227b56d70f7dd94e49bbf

SHA256
5e0b478c201c2f71b6d49de05f618d4a10f3fa0958474120847539689135580d

SHA512
4778a4849aa0f695b140878074b2ffaadf1868061e31298249a951a77612ab01118fd3d3d17ebd1230a8c8b09ef5d462863bdb0e8d2311a635d983df4a16f7e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d76518dd4397b80e32084a02ecd8ddb5

SHA1
ba339aacd2c10abadf7d1a0191c63d03493fb11f

SHA256
c5737d1b5b52d908f547eafbd48295d5355e51744102ad3012f8f4d2d6ea1692

SHA512
fd8c894ec5678f1b6f9165966f2ed6224316d5ee2233b5634017d213f70f2134dc79bf23e0c3030b8268de6dda4f71dbc905aa491b137aad42a8aa267736564e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b22a74d83604d212cf3365b00b54255

SHA1
8303912ff393829037f4dde4091448a7b42f145b

SHA256
15105c78be3752c1d8251c4f34389ce679520b35d20acc8e6833776aa2560fd0

SHA512
a5ae78e82f9464e8e2bfceec43957877ac1595881784890aad1e6d122ca013cc4de34070ac2d79979e36bccb9fdcb7157f621cbde97fb48f2901821bedc59c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71c036936d5d044b9babe4015c78f9e3

SHA1
6f02e797dcbcea078c4a96ad9428a9aeabdb8738

SHA256
b20a68fca980010ff88c451bd922681121d086aa379a145ce07fec9eb599c8ae

SHA512
3e0a2bf3877f1438859c73c711cbd45b97bd184d4cdca18178bdc0f1de96ef8b5f83b4291c35598d3f1213897d4b05429d0a05c4cb05c135b8f5f2321f51c052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2349e28d962631323afa872fc3cd07a6

SHA1
434d5119029435c1a365a32dbd5926d682f53480

SHA256
d20a1c370532ee6d5c09aa11e64a37741a114a0d585573bc0a51cc5b77f9aacb

SHA512
b9b3eb634c152cc0330022534566c96eaa00a1d611803c4ae74a732e61a4a731fed5837edbafbb7b6915b9ac6dc26016ea87472ec8b3b293525314ab4c607328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b9d8f082d7f8df808ccf7c780681780

SHA1
082c568317ae0fc3e658ebb12ab4fbeff74677ec

SHA256
d759374ccc6a0ab5f4ebef2d2f5cbab955de9823f511d02791105ca14e4b2046

SHA512
6fbe6a22b51a202f0852045b39d76f6ce348296c8578bdf0a9e3f60725a55141b3f7fe4d955ee2abb953f2c3f2bbaf92cfb2f503919bad1d58a4fd6da241e927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d20f6e3fde1b46878f7f04ae4307f7c2

SHA1
1c61506eff5995fec58601c2b238eec11bc4b0cc

SHA256
ce76088fd0a75a58c432a279a95b294e908a72488def887ab180fdd64c83077b

SHA512
ea96742abb5c28863931af51e00fb27e575f19f250d4ed162c2fb5850274723fcb484902ff1ad1d16d71267790cfe20090392f422049bba4cc8f466c13331782

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb3c5bde39098fb1abb0fb72382ae71a

SHA1
f9986b31cf4bd1b9e855ee5599f0829e27e4690e

SHA256
080a7821db99acd3aeffba2e277313bf42b213733c6ea26aacdaa8225b24a369

SHA512
232cf5fa0c11cad5d10d60fc1b70bc4ec817d6ae04628b0d506eb3bfee32708ce3690c8f058ad72665aaf3beef34277e1e3c4b7b822c92706e045d8ed640becc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fdb240e3c98217380d371eb9bf72009

SHA1
d73798fc25fc1f315693edaebd4a0bc88e5b6840

SHA256
d285ec93999adfe34ed81a1f7f33733e6a00791e1a4692fc85f2170053f27af4

SHA512
7f078e9ffd8609c7a77219af6ccdb2b2f6948a26940b8d828ee69d22fe987319acb35448dc04117f0d0074bb4c26bc2bf3306b307412e4d2b2b91547e6ef3f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4a9921050766795e4b36d1570c0f6aa

SHA1
3db8eaa0dcfff9a8d99909b7e1564bf20113da7e

SHA256
3e21dbb4e00e84ce0c32f6eb03fff154991782beafc8e2c895e315b684fc4423

SHA512
f2fb53a6e0a4ee9cd5e239961cb5269ba94a11ec7d83177da2e228da8f46a02a800df9befb029ddf0866d5cb7b2b0e408cc9057f8d786e9b99f7a5775c948328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38d445aaf6c857416388ddd47f9976bf

SHA1
fa76cc37fd083e9bcf0647607ace5eb1d242c223

SHA256
ab8e8e7d76d1a1759eed8c694b1b9e80d8ec01cc91ae5bb874d0fbc402cebf41

SHA512
1f660ca3c2543e3d3761d4eee5b09417d384ef2ae6090d975020ae5323651ebdfb1681b3d2a19fcafc0c5e8e3914252aedca5ec3fedd29415a5ec06d0c31f96f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92bdad5b218a8ecbb110633ab7844979

SHA1
89a6733b042d180b816d8a5710eaf51bcd398017

SHA256
98c1188040a536e6d890ff59721e45abc4adee18de4e52af9220d0ff020e0893

SHA512
1ddd651d6234952470c7fa7634a0a7e362d072f2935a90bbe8b73f8c3a30e654095c580caeebd9dc6de1fa8fe3ac9f448bedab5c8c2569473cbf4edcab207569

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff776430ae8875c164443a136475714

SHA1
457d122bdc2984741c51f8c8e42d4a95318b1de4

SHA256
51ac3d2b61f3d169487781a056a78ac0536dc97b8cf07c0fe3470e505e316a1b

SHA512
ccea5250d815ba343074f7d06dc1fdebad0d627d1962036aa70231bacb054d37187169e076ff8afb3f30c8f719a996ec6944e3f87ca3af5523b712095996b3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55d18c99951b33208a3b138f0aa4ddce

SHA1
46d6b914aea3e15f52b310f36f13e9ef896fe740

SHA256
87322373319629330c1ddf96d8dd05c05fb99c6fc1027507285d86f8d2e7aeb2

SHA512
4d76161638b5a817925db7cb5b65cb458ce1c5df880887f12ace00018366118839229f91878b2dce84f1ac6d6b537ff35df95e986ee7d64343f52ce9102edd4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b075ab7935d35eb48b5b08c65113d5

SHA1
e815786cef6bce131894518a5e3673af36fa8634

SHA256
bfd9c483bea741fc3b24b7af6ffaae35e2d79205a2a779fb6a0b919b27869369

SHA512
349b5f840d249b9d8403902cc162f036a9339336ef8c85bfe3ce87be1b2874d71b192240bb1199c3899767eebba5accf035779f2e11c2ad2f29e827ef7168271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a02f4b444ab55dc4743927d06a26a72

SHA1
e673406f454b1172d75b4807fe123c01d300cfe0

SHA256
ae5ab997568dff3790bf3d4ed7e993742408427dd90352e3985fb712dcd347eb

SHA512
3f12b656255f70b3a69095d856d4ce7ac057cac7538396ac638e0d27948ab353664fef3a6bef09047cd30e15c80875f4d40a71863c72c2889bace32a8df64987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
223f869de9cbc533a9b4ac999e90720a

SHA1
4b5e5232187301ffc5c18638ebf83611e1cf7a6a

SHA256
066a7eee8102496d1e2d4b7587ed46329daffef3b487615eeeea148fa6834cb7

SHA512
3c63e7561caaeab947aad2aae15d1fbb558eddcd638835d15d1a77b4dd3bfbedefd855c70aa2de6e4d4fb267af43405f004b0e6a4833fcacce4635f2a64254ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
096da1c6b9cc31c5a15eb55ec7a5f868

SHA1
297857827038e9fd250d8d0d10623537028aebc9

SHA256
88b2436780f1e112f98b1c8d015e8c3335f9b65ce6e57027fb23bd4f10f5ff07

SHA512
cce8e9b27e55be7454498ec669af54e4c68519a527453dcb08a2c0550e16747d80bb7482d9442edca7716b1e790c839fe8c04201718cfd547ffc0a7a9f8b1051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd6f8acf45d554f6483ee9743b68aa05

SHA1
0d1da9c0b76ec504f5348c57fd4b3ef88b2926ba

SHA256
95a6e812f99c265186ff066d9cba10b6ad1bbb1a682047cc02d25a7012f4b033

SHA512
7eed3ed3011b62eeee7779bc3a05fdce23da3b217cc1d0557428d4f442f4e2d41b642c1213e40dfde3d48483a26dac9fcdeb383cb1282f2785c0dbf85ac0e595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eab033af3d1d9686d5909008b3081ae

SHA1
abc979ae84271a303bf091ada0d1e8c08ba058f7

SHA256
136df9ad7f4af5f81c001d286ad3bcc8e479a2c45f99551107a2b45f9802cac3

SHA512
a3cf09e4435d661c9d556614209e745d8da93d36b07363bbc3cf6d2b54e9fc619e5c0fa7aed299fc96875bce3e17f417ced738d0bd95136d7c5bc99d243ba284

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d5a2fa75b3d88e2b6fbf40a76ff551c

SHA1
b56b334a5661f74db2e3167f9467133cfe945354

SHA256
e0d10005815b84bcb0a789af223c9f8a8b466b00ba8f7057c86ffd313a9f95fd

SHA512
d4021c36acd5150c95ede7293e17e36dbddca23a63496d4d8d4de9d2767175656984ce5051476777760c32fb3d4ef05b019423664331a7662ff37e560cbf3738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d6fc46875a95930e01a8b9213c6e8f6

SHA1
e5fb7351c6aaeaf73e7e18061c01489c23c43e44

SHA256
b7ec7eb6dcbc79015377eeffea2e251e9191273dc8da6ff3aeddfd1b2199318b

SHA512
8adca717b4e9204fbcdad8db83d82d2cd4c833703628367bc529c73ffc8f240e16be11aea717237f72555d351a5d43cd722d746cd13391ba4e72faffc14abf3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c61f40e75c6cee6bc89608f0d4a9858

SHA1
a7661164af5b43e4b002b7ed8163993124b25152

SHA256
e0f0101b256af1e7069a51b625d2b84c16420982181ee3f2b90cb7b2dcffe487

SHA512
ab9e9db0b7192e3fb13c89a0d07be7c639f358c879ab3794c56a05de035833cb659d7fcb504654ab4652b3eaa488a96c523bc6f27bacc20dd1ff52335bf37d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6238bc57ab8009998f5120d3921f2e4

SHA1
77892122c69717673beedf5dd777b976cc986b39

SHA256
40d6d55f76878bef426f0f0a6d3f248c3d7179e84c5dde7d61233a0fda0ec51a

SHA512
7f55378597a5f2f4e3040ee2796573c35a9b1fef4263b7677fdfb57c828c0b6b403dfc624521a7b05e10aa4c48830e11ba867eed4b166c6fef76afb22a43e04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ade9886bcfe637223817654e36448d2

SHA1
77125d6dd56e7dd6cb6b0be78df97908a4bbb1cc

SHA256
abd166e1f5032914ec0afe1d9b0938635ed704804a7d3cdd0256c9244abf4be7

SHA512
92f974682437bd096e6e3d51faca1e69e53549629096418111b2aca44ddc1f84cf7638e7582f68324b2ea82fa960ad09c3c1a185b357bed9beeff7505480ef11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF96E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFAA9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jusched.exb

Filesize
392KB

MD5
721e313563d9fa3414168c5a4725260c

SHA1
007a1d4392e0ca186cb5f6bf8e53487e64419a5e

SHA256
9a95f50c47ba44bdad1ee0b8206e2deed2b27f393b1a6a823cc564d39347b4a3

SHA512
2f26c1e33fdbf90228a7a4f93e2c7434483346272fad7a2225f8a78f6d6e7c80f928bf52db4e8ac16278e41582b82e7bfcaa62cacbe930dab9f20fc5362b9c30

Download Submit
memory/2088-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-14-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/2164-65-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2164-67-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2164-59-0x0000000002030000-0x000000000205E000-memory.dmp

Filesize
184KB

Download
memory/2164-60-0x0000000002030000-0x000000000205E000-memory.dmp

Filesize
184KB

Download
memory/2164-47-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2164-45-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2164-46-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2164-38-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2216-96-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2576-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2820-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-39-0x00000000001B0000-0x00000000001DE000-memory.dmp

Filesize
184KB

Download
memory/2820-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2924-29-0x00000000002F0000-0x000000000031E000-memory.dmp

Filesize
184KB

Download
memory/2924-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2924-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-332-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads