Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 12:45
Static task
static1
Behavioral task
behavioral1
Sample
477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
477f9071a2494106f3bab9d866bf491e
-
SHA1
5bdbec0b011c60945154742de74c75cf11a6e8c7
-
SHA256
30f309b4912eea977732ec38083cf4e363ff4f757df1b2a5170d9033fa831655
-
SHA512
d1efe71ff34b986b72e4ca13210a019efe12fb6f08728a56350ce7ce5dcab566035db26429e104f2524dfe4774e77b4845863f3350971fc79ddae69b062e74f3
-
SSDEEP
49152:5n2CWZeY24D4n8pKd7IXuZzKRQ54ZxrC/ccha5FzGNUbWkt9:J2CWZess8pAsu8y5qxrmhaTvbWu9
Malware Config
Extracted
babylonrat
cryfreeman042.ddns.net
Extracted
pony
http://www.mytonnymaxltd.com/wp-content/Panel/gate.php
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation Pony.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation Pony.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation exsy.exe -
Executes dropped EXE 9 IoCs
pid Process 2060 Babylon .exe 5084 soft.exe 1576 Pony.exe 4400 exsy.exe 4296 Babylon .exe 2420 ykiv.exe 4420 soft.exe 2936 Pony.exe 3632 exsy.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000002340c-9.dat upx behavioral2/memory/2060-16-0x0000000000AB0000-0x0000000000B79000-memory.dmp upx behavioral2/files/0x000700000002340f-26.dat upx behavioral2/memory/1576-30-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4296-65-0x0000000000FC0000-0x0000000001089000-memory.dmp upx behavioral2/memory/4296-58-0x0000000000FC0000-0x0000000001089000-memory.dmp upx behavioral2/memory/2936-78-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1576-184-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2936-185-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2060-188-0x0000000000AB0000-0x0000000000B79000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Pony.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Pony.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Pony.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Pony.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Myybol = "C:\\Users\\Admin\\AppData\\Roaming\\Qeryed\\ykiv.exe" ykiv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 4820 set thread context of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4400 set thread context of 3632 4400 exsy.exe 97 PID 5084 set thread context of 4380 5084 soft.exe 101 PID 5084 set thread context of 4380 5084 soft.exe 101 PID 4420 set thread context of 4500 4420 soft.exe 102 PID 2936 set thread context of 5080 2936 Pony.exe 105 PID 1576 set thread context of 4852 1576 Pony.exe 106 PID 2936 set thread context of 5080 2936 Pony.exe 105 PID 1576 set thread context of 4852 1576 Pony.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ykiv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pony.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exsy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pony.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exsy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Privacy Babylon .exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" Babylon .exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2420 ykiv.exe 2420 ykiv.exe 3632 exsy.exe 3632 exsy.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2420 ykiv.exe 2060 Babylon .exe 2060 Babylon .exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2060 Babylon .exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2060 Babylon .exe Token: SeDebugPrivilege 2060 Babylon .exe Token: SeTcbPrivilege 2060 Babylon .exe Token: SeSecurityPrivilege 5084 soft.exe Token: SeSecurityPrivilege 5084 soft.exe Token: SeSecurityPrivilege 5088 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe Token: SeImpersonatePrivilege 1576 Pony.exe Token: SeTcbPrivilege 1576 Pony.exe Token: SeChangeNotifyPrivilege 1576 Pony.exe Token: SeCreateTokenPrivilege 1576 Pony.exe Token: SeBackupPrivilege 1576 Pony.exe Token: SeRestorePrivilege 1576 Pony.exe Token: SeIncreaseQuotaPrivilege 1576 Pony.exe Token: SeAssignPrimaryTokenPrivilege 1576 Pony.exe Token: SeShutdownPrivilege 4296 Babylon .exe Token: SeDebugPrivilege 4296 Babylon .exe Token: SeTcbPrivilege 4296 Babylon .exe Token: SeImpersonatePrivilege 1576 Pony.exe Token: SeTcbPrivilege 1576 Pony.exe Token: SeChangeNotifyPrivilege 1576 Pony.exe Token: SeCreateTokenPrivilege 1576 Pony.exe Token: SeBackupPrivilege 1576 Pony.exe Token: SeRestorePrivilege 1576 Pony.exe Token: SeIncreaseQuotaPrivilege 1576 Pony.exe Token: SeAssignPrimaryTokenPrivilege 1576 Pony.exe Token: SeSecurityPrivilege 2060 Babylon .exe Token: SeSecurityPrivilege 2060 Babylon .exe Token: SeImpersonatePrivilege 1576 Pony.exe Token: SeTcbPrivilege 1576 Pony.exe Token: SeChangeNotifyPrivilege 1576 Pony.exe Token: SeCreateTokenPrivilege 1576 Pony.exe Token: SeBackupPrivilege 1576 Pony.exe Token: SeRestorePrivilege 1576 Pony.exe Token: SeIncreaseQuotaPrivilege 1576 Pony.exe Token: SeAssignPrimaryTokenPrivilege 1576 Pony.exe Token: SeSecurityPrivilege 2060 Babylon .exe Token: SeSecurityPrivilege 2060 Babylon .exe Token: SeImpersonatePrivilege 1576 Pony.exe Token: SeTcbPrivilege 1576 Pony.exe Token: SeChangeNotifyPrivilege 1576 Pony.exe Token: SeCreateTokenPrivilege 1576 Pony.exe Token: SeBackupPrivilege 1576 Pony.exe Token: SeRestorePrivilege 1576 Pony.exe Token: SeIncreaseQuotaPrivilege 1576 Pony.exe Token: SeAssignPrimaryTokenPrivilege 1576 Pony.exe Token: SeImpersonatePrivilege 2936 Pony.exe Token: SeTcbPrivilege 2936 Pony.exe Token: SeChangeNotifyPrivilege 2936 Pony.exe Token: SeCreateTokenPrivilege 2936 Pony.exe Token: SeBackupPrivilege 2936 Pony.exe Token: SeRestorePrivilege 2936 Pony.exe Token: SeIncreaseQuotaPrivilege 2936 Pony.exe Token: SeAssignPrimaryTokenPrivilege 2936 Pony.exe Token: SeImpersonatePrivilege 1576 Pony.exe Token: SeTcbPrivilege 1576 Pony.exe Token: SeChangeNotifyPrivilege 1576 Pony.exe Token: SeCreateTokenPrivilege 1576 Pony.exe Token: SeBackupPrivilege 1576 Pony.exe Token: SeRestorePrivilege 1576 Pony.exe Token: SeIncreaseQuotaPrivilege 1576 Pony.exe Token: SeAssignPrimaryTokenPrivilege 1576 Pony.exe Token: SeImpersonatePrivilege 2936 Pony.exe Token: SeTcbPrivilege 2936 Pony.exe Token: SeChangeNotifyPrivilege 2936 Pony.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2060 Babylon .exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 2060 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 87 PID 4820 wrote to memory of 2060 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 87 PID 4820 wrote to memory of 2060 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 87 PID 4820 wrote to memory of 5084 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 88 PID 4820 wrote to memory of 5084 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 88 PID 4820 wrote to memory of 5084 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 88 PID 4820 wrote to memory of 1576 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 89 PID 4820 wrote to memory of 1576 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 89 PID 4820 wrote to memory of 1576 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 89 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 4820 wrote to memory of 5088 4820 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 90 PID 5088 wrote to memory of 4400 5088 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 91 PID 5088 wrote to memory of 4400 5088 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 91 PID 5088 wrote to memory of 4400 5088 477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe 91 PID 4400 wrote to memory of 4296 4400 exsy.exe 93 PID 4400 wrote to memory of 4296 4400 exsy.exe 93 PID 4400 wrote to memory of 4296 4400 exsy.exe 93 PID 5084 wrote to memory of 2420 5084 soft.exe 94 PID 5084 wrote to memory of 2420 5084 soft.exe 94 PID 5084 wrote to memory of 2420 5084 soft.exe 94 PID 4400 wrote to memory of 4420 4400 exsy.exe 95 PID 4400 wrote to memory of 4420 4400 exsy.exe 95 PID 4400 wrote to memory of 4420 4400 exsy.exe 95 PID 2420 wrote to memory of 2452 2420 ykiv.exe 42 PID 2420 wrote to memory of 2452 2420 ykiv.exe 42 PID 2420 wrote to memory of 2452 2420 ykiv.exe 42 PID 2420 wrote to memory of 2452 2420 ykiv.exe 42 PID 2420 wrote to memory of 2452 2420 ykiv.exe 42 PID 2420 wrote to memory of 2488 2420 ykiv.exe 45 PID 2420 wrote to memory of 2488 2420 ykiv.exe 45 PID 2420 wrote to memory of 2488 2420 ykiv.exe 45 PID 2420 wrote to memory of 2488 2420 ykiv.exe 45 PID 2420 wrote to memory of 2488 2420 ykiv.exe 45 PID 2420 wrote to memory of 2700 2420 ykiv.exe 47 PID 2420 wrote to memory of 2700 2420 ykiv.exe 47 PID 2420 wrote to memory of 2700 2420 ykiv.exe 47 PID 2420 wrote to memory of 2700 2420 ykiv.exe 47 PID 2420 wrote to memory of 2700 2420 ykiv.exe 47 PID 2420 wrote to memory of 3564 2420 ykiv.exe 56 PID 2420 wrote to memory of 3564 2420 ykiv.exe 56 PID 2420 wrote to memory of 3564 2420 ykiv.exe 56 PID 2420 wrote to memory of 3564 2420 ykiv.exe 56 PID 2420 wrote to memory of 3564 2420 ykiv.exe 56 PID 2420 wrote to memory of 3688 2420 ykiv.exe 57 PID 2420 wrote to memory of 3688 2420 ykiv.exe 57 PID 2420 wrote to memory of 3688 2420 ykiv.exe 57 PID 2420 wrote to memory of 3688 2420 ykiv.exe 57 PID 2420 wrote to memory of 3688 2420 ykiv.exe 57 PID 2420 wrote to memory of 3888 2420 ykiv.exe 58 PID 2420 wrote to memory of 3888 2420 ykiv.exe 58 PID 2420 wrote to memory of 3888 2420 ykiv.exe 58 PID 2420 wrote to memory of 3888 2420 ykiv.exe 58 PID 2420 wrote to memory of 3888 2420 ykiv.exe 58 PID 2420 wrote to memory of 3980 2420 ykiv.exe 59 PID 2420 wrote to memory of 3980 2420 ykiv.exe 59 PID 2420 wrote to memory of 3980 2420 ykiv.exe 59 PID 2420 wrote to memory of 3980 2420 ykiv.exe 59 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Pony.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2488
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2700
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\Babylon .exe"C:\Users\Admin\AppData\Local\Temp\Babylon .exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\soft.exe"C:\Users\Admin\AppData\Local\Temp\soft.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Roaming\Qeryed\ykiv.exe"C:\Users\Admin\AppData\Roaming\Qeryed\ykiv.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2e02b1ce.bat"4⤵
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Pony.exe"C:\Users\Admin\AppData\Local\Temp\Pony.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240617531.bat" "C:\Users\Admin\AppData\Local\Temp\Pony.exe" "4⤵
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\477f9071a2494106f3bab9d866bf491e_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Roaming\Tyorh\exsy.exe"C:\Users\Admin\AppData\Roaming\Tyorh\exsy.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Roaming\Tyorh\Babylon .exe"C:\Users\Admin\AppData\Roaming\Tyorh\Babylon .exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Users\Admin\AppData\Roaming\Tyorh\soft.exe"C:\Users\Admin\AppData\Roaming\Tyorh\soft.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2e02b1ce.bat"6⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2996
-
-
-
-
C:\Users\Admin\AppData\Roaming\Tyorh\Pony.exe"C:\Users\Admin\AppData\Roaming\Tyorh\Pony.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240618078.bat" "C:\Users\Admin\AppData\Roaming\Tyorh\Pony.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4796
-
-
-
-
C:\Users\Admin\AppData\Roaming\Tyorh\exsy.exe"C:\Users\Admin\AppData\Roaming\Tyorh\exsy.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3632 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3360
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaa6be9c1.bat"4⤵
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3580
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4044
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2356
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1728
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:532
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4768
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4488
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1012
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
355KB
MD55d05b4f6accd34f7085bb70970683a8c
SHA1721ab6c7559ea584d259df2448a5e30b4c222b92
SHA256503b5746ec5c5cc50e44672a7a49cf112106607d8cea8f80b537280f541cd214
SHA512ff02f4d8462e52f7cc5d4452a703ca2b65f6b80b3974c602e503e9ef568c9d8f2ed08e72776c0602ee7337a689964e3d4b0df8ec5db5cb6868144dcbc93f2d97
-
Filesize
34KB
MD57930fc68bc3cb9bf6a35d54558bcfb91
SHA18de4b17263c3416598fa04bc47aae4821c11765d
SHA25691c2e0525c0303a92fc4daea82cc1223a4044cffa64a5d0bf23d575c60555b13
SHA51296ea5c9dad7271df85076fc491f8d385ee799dd3e6a5328b182bd63d3653116735da250d749d59df4e0146308fe33f77b98a8633d9ed117f1f3405b8c8cfd3aa
-
Filesize
221KB
MD5815266c018e9a3d517d5865cf8918c2d
SHA1575486e27a86adde49217cf9055ab6b5b9011c3e
SHA25635ee92e61ea7bc51cb6dd00bc372627c42f956ed8573191621844e82165ddb80
SHA512dabc5a0cf124889b4099bd4ffed0557d1d789f50bc6a02a20dff41eca322d66f2c984647f622d67ee19d93db2bbe14955ddf07bff8a5dce0dd8a0858b799725e
-
Filesize
193B
MD5db06c8bac40745104464962e29062d01
SHA1f27230ad78711830b5ca2a0431e5ea9d9e0ba817
SHA2563493820bb6dc5174bb594e60ddc78137f38d06f80947727259d64d5faf101a0c
SHA512ce3870bfb6ab23ae5103cdced0e13912485696024575e696866a8d826c99cca2535d8fe7ad7b0c85024eb5644e79fcf6d8755950a734a6323f548141dd9ed833
-
Filesize
271B
MD5350b25f01bb4c7e71c6a7a5d23c80ee5
SHA129d0e7e4a40757f9aab80d5dc60b5d873d4424f8
SHA256d1df60096119989972c7db57e96d8630627263f06a0c509e15b051885dfc2861
SHA5124c251bfd3fca8e06c25555414ba91572e9bb8bca83db412de2a92605785b062586126a76bd2e4d04efcd3c0f2d52af4855474b54fbd26e5df4d476ee48e0e4fc
-
Filesize
2KB
MD51a5aee59e270662330c0d721f376438e
SHA1b8f472efe0f123a9ae8f2145efa637dded2644ac
SHA256cbb01036cc3cfd0f10d866984e52a08420e5fba93f8621f75ff40eebb5eecb30
SHA512030071238b5b1a6466aa6f1a8ba0ec857658308ee9cd20094c3359c50afd79fe2714932711fc5e406094237e3f0bba9c73ac98f2847df63188b58c2b85e2cd0b
-
Filesize
221KB
MD56a8c9957b5a6188f658cc820ae195ccb
SHA1f3c9e161285b2c0eec2f44c1dce3a4f3c564d1e0
SHA256341ea59f67f6398e56e513f6198a027c31d9521a3213e50bba267a86e356d30c
SHA5128313e26c3d57ab889450e5afc2953e53a19f50490fafba1e6388fd83ee4c1773c31927f8a8ff8cc1a8fe96b9d22c2eeca650bf17840c334ed0a0352134322aec
-
Filesize
2.0MB
MD56e2c4980003ca7184bf3a516428caaa0
SHA19267361fbab34306303790236a75b15276bb80e5
SHA2566b96c04858a299e426f813dbc4aa703cb358ae8c8644556c5655df0a2a8317af
SHA5121a3668023f072afa3276d6007bbd57571bbafbb9ea25eaf0dcd325d43c51364785d9f7cf1252260972de390d1c227e9da0d84b1f074edcc92fd697ce234add4d