b89c100fb14353723250720e3a543dc0e069464dfc5a3e9deff5df7591b6a1ea

Analysis

max time kernel
139s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe
Size

632KB
MD5

864540efcfba01994f6f2730c5f919fd
SHA1

e91ce6e86102cd043a187de9ea8d3855c50b82cf
SHA256

b89c100fb14353723250720e3a543dc0e069464dfc5a3e9deff5df7591b6a1ea
SHA512

40bda94e28b4ab8c49bb05fffedb16cf327c67a2a4ffd1c2a531659ed3be5ea4815563f3dce27e0645b2fd81d3bdcb7358f0725dbc38240c53092dc6bea66f81
SSDEEP

12288:LQL/8Gya/JAywTk+mh/w4EUkVYLNEgL4vUvdq5lNtTirdJGdM:LQLx/JA5kpEWE2qUvSTEd0i

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	MAINDLL.bat

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MAINDLL.bat
File opened for modification	\??\PhysicalDrive0	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2B3723A1-571E-11EF-8D34-5A77BF4D32F0}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2B3723AC-571E-11EF-8D34-5A77BF4D32F0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2B3723A3-571E-11EF-8D34-5A77BF4D32F0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2B3723A1-571E-11EF-8D34-5A77BF4D32F0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\MAINDLL.bat	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe
File opened for modification	C:\Windows\MAINDLL.bat	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe
File created	C:\Windows\MAINDLL.DLL	MAINDLL.bat
File opened for modification	C:\Windows\MAINDLL.DLL	MAINDLL.bat
File created	C:\Windows\uninstal.bat	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAINDLL.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 004444ee2aebda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429459126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0086000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807080006000a000d00290005000c0000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{12BD793B-BB5C-4936-BEE5-FE8FA6465B71}\46-90-22-48-87-7f	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807080006000a000d00290004005e0202000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-90-22-48-87-7f\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-90-22-48-87-7f\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-90-22-48-87-7f	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2580	2768	MAINDLL.bat	31
PID 2768 wrote to memory of 2580	2768	MAINDLL.bat	31
PID 2768 wrote to memory of 2580	2768	MAINDLL.bat	31
PID 2768 wrote to memory of 2580	2768	MAINDLL.bat	31
PID 2580 wrote to memory of 2704	2580	IEXPLORE.EXE	32
PID 2580 wrote to memory of 2704	2580	IEXPLORE.EXE	32
PID 2580 wrote to memory of 2704	2580	IEXPLORE.EXE	32
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 3028	2804	864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe	33
PID 2580 wrote to memory of 832	2580	IEXPLORE.EXE	35
PID 2580 wrote to memory of 832	2580	IEXPLORE.EXE	35
PID 2580 wrote to memory of 832	2580	IEXPLORE.EXE	35
PID 2580 wrote to memory of 832	2580	IEXPLORE.EXE	35
PID 2768 wrote to memory of 2580	2768	MAINDLL.bat	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\864540efcfba01994f6f2730c5f919fd_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3028

C:\Windows\MAINDLL.bat
C:\Windows\MAINDLL.bat
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2704
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MAINDLL.bat

Filesize
632KB

MD5
864540efcfba01994f6f2730c5f919fd

SHA1
e91ce6e86102cd043a187de9ea8d3855c50b82cf

SHA256
b89c100fb14353723250720e3a543dc0e069464dfc5a3e9deff5df7591b6a1ea

SHA512
40bda94e28b4ab8c49bb05fffedb16cf327c67a2a4ffd1c2a531659ed3be5ea4815563f3dce27e0645b2fd81d3bdcb7358f0725dbc38240c53092dc6bea66f81

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
aab1d19c9af12474f9b55c1d677b76f3

SHA1
79da2828e1796a63ffbcc9c4fc6faae7773e686c

SHA256
5c47d327f0810c1b0e3798089a9ebc373d5a06fd89899ca85d9951ee1f624606

SHA512
c4699f8d2c66626d621bf30712d612ef54a352dd3a57da8afab495ab1f3f1eac165021319fb257e055180362409dd9039928850e685a708a697b930859286e0c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c546a69cb1cf9ab4ceed7b15fb99a68

SHA1
6d7fd22595c9cd3cdf4683b3189b9be5f06e8b08

SHA256
6c3136583425a151818fbef80fc44e8cb86c8a9c8c06fb09a08989e8a96370b7

SHA512
f3ca0d5852a144c20cffe0e438beb4842e1d04b48b079531f82ec4a83bc0baf5c7cc00e3867f806ac217c429fd1fe4f5d19c594bc185fd06cfc4b28d123ff596

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58dd171fa2378289e3db9276b53bb7d0

SHA1
82120b0ee8f03c14c3bd0bfe59056f8456dde06f

SHA256
669a979677c05c698e700d0aeb17f9a438988bc61eabc65433940c86fee1cffa

SHA512
6a09cdd86c974d315b2c7bdcdc8d0cbaf1873eedea360fe623a55a509beca5a545733159e1f7a64f90b55bdf82f4f0b4edbb6b04de5c7ba6eecbc644f896ddf4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6544821735928626caf3887568f7d0c1

SHA1
10f534c96e84fedb1e3d6fe96998f3d9684e9a90

SHA256
71a6d9e0a1748cbe64b0c1c52c9a8fd03279391add4ff6dc145092ee6df6b53f

SHA512
f0ec32c39517079e6d115f7e01b535e7bd2e588d5ed88f18f24ff33599b855e91d57919795c55b1c234c06781ebd72b74b0de434e22dd102b64d2a40cf42d023

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47e0463a026bac6fc256aacf65da4239

SHA1
5b759295534e030d58d34b43ff40dd9eef458ead

SHA256
f49677eabe39b91c020e09c2735e84b04d8456aede485bdb31af1bd133fd941f

SHA512
5230b30078fdf1806544b79356605af03c5f81e2b5a2cf9266907ddab83788190ed98d70bcb07fa41d8a1b8109605ced7411ddef237306141e7bb31f86f362e2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbb6bd21ce302871bd900ec60fd4b629

SHA1
6964cb3dddf76e40fa339a0ebb53369b07a788f6

SHA256
c8b9d8e69b37b83b012de65e15a4956c14b4b808b12dc8265a11ad67ddec64c7

SHA512
c419f083629bfab3a86a9cae1dad8db470cfb9d5974780a78ec16b4e538dc11f66431ba051e598d9be436fec01f8059ae51af0c66ad4c21962cd711e9ef82199

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d10cfdb0c61066933605e64d848c09fb

SHA1
e17692c2b7f8acb44251fa3d6745a15ef0062250

SHA256
38257b006fff781ef91628057d48c674c7e26fa5632eceb09ed09f18b2d1803e

SHA512
7d6fe178ea8aab6f7b3edb9f9344a77f1f2f9996a0f09bd10f2c27655647444a2dcf0c0ccbc7d2266f96c413ef5d4fe5a35b8d7f9ad2fce74364bb5aae5f7424

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32c2001729d3e4a277303a51a379632e

SHA1
282aa657f52efc23bbdecd0ce7524401e52c9a42

SHA256
da6a90c7fe709c1fd80b1e217e0166d0938bc9ed08107c8db5f5b9585b1a0444

SHA512
4f07d158f1bc207af0a6efa8b83b5c43aafba40054762d5da649b1d92a9cac4e9c5943915d9cfd45032631e215f8facdf66bc35588e0ff6544e5eeb574478faa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a51971110a6c6b135c8e7b9c72e93ef

SHA1
7eeebe259e98f7f89913751c88038adad95c6b8a

SHA256
837f2b2827813f0b8431fd31f8fa719bb88c75af9a6d2c2f3584d65f57d6ed5b

SHA512
d8fcc13e3d481700029eff3e2667b44b7f43a7a82ae68079311b1c25a90e07afc5c021fc72d610dd53a07f0bc5f5ff8246624cc5c4c9d8351f2462f64025523d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59b9f31ea8c180c230a74d80393738bc

SHA1
763c5aa1fb9702f5783e8c05c2bd6a1b76e3870c

SHA256
1191fd28156c48ab66cc8aff23b6be32fef62f105860d15981b314fc9a9d5021

SHA512
adfea4ccf5b8221d5836f434eb87e5b8b6d96d79721a8aaa4b2fe4537d9db0e66e930e6e0aef3571e5e067cd904515ae82c3c1794e2bd9864fff02b27ca66185

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93db9e0b4424874e5a14f9b994fb6362

SHA1
6526f85386c16c039531be1273eda5420a17735b

SHA256
9304fde2382bfa257e592329dd84f436928d7bccdae50e5681eaaec3709eaff1

SHA512
22d794ce20add987fe3b9600377efcb553b7bf1b6f4d15068c667aa3fcab4071b4aef34ba43935f12e15ca4edc6e592521a9252e3737fa5653f46e361a5d2829

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05438ff78c64401695488caa027d31ca

SHA1
c2ed1d82012fa810e8b94d8ecfbc4399a97c065e

SHA256
fedb522f6781a36fbf4ad424b7223c70688556c2b740d6ff072ab025c99399f6

SHA512
ebd3cc8c400bcecf6a9802c6ac9283bf3ae10440cb3dedeb5b47ca3ea9a3f70e949d18e892529387c2e9d47ce71ca3f137aaae33ff1212771671a64d2d662b23

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bd195e3190b8cec96b3fe342006e094

SHA1
249efced1bd520afc5f55f6798dee5518190fead

SHA256
5769efe9545d117fbf0291b2d3a6ccb4a44c5de41eaf34d06617a0c77f6c89f3

SHA512
27ea749f99617096d5f99a34e749fec57ca847880eb3c2204d6b360cc6ab412cf8435018adec370ae3ae9c5a7beb23f446818b7d2785957a0bf79750b0f5e8e3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64e61a02663a6baab5508e3eacb9886b

SHA1
4868a4bde6f1fce95065ba4c88be79a2c07133e7

SHA256
0bb81376a2dda931c5ad5907857e05273f13958503f863e72d427fbc5c59fb44

SHA512
dac154f7a1853c9a8cd3e96f0fb876916f51496a7c85787049ae5548b76eddcadf6ecb9a719a8012db4ff98c6d43a01a511e4c85ea0c53c44c3aa6d8819761f8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7018a474ac7bc2f4c1ed6456c5e60193

SHA1
1bf15b4e3b42d9c285dde588d7d6d94979abc2f6

SHA256
04d6a44f0efa76cebca1d96d60682b26d81307d7411857904d7e49fe1c371b29

SHA512
443643ab522aff5f16def23b1c5031d39062f657d94372a7625a071d125759e5639343bcb0bd93f85d4804b44259a22200d470ffa5c85d7e8fe3d6d5f1673304

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
febf40151bdd2bb29dcb4bf6e5a9d135

SHA1
7201a90d11030b835b648609861c43dac4683cd7

SHA256
f4e1e02d2bd8cdedc4db6976b54650eb3a66be6eec2e8915898d8364dee09d08

SHA512
f82dc39334a8866283c559f6aa82ac61e5c566fae8214162c1625d85b9b1e9a375d7f1213232400dd87f213cf298175836c15daa2739abce449b3d25f3b4835a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5e9473d8fdb0ebff04481ceebc63ea3

SHA1
229e1c6719e090e26902feaee050f8f39cca8805

SHA256
658305b8ab75194e685fd31ee42ac1aad85a8e55a08d3bbacbec2df5ac906e4d

SHA512
74fb52ecc05b7d6929e6b58f9994dafaa4ce10e1565837dfb68c7caf5625d52cd837fa6cd38fcb004f4cb2df95e2c0deeb3256fddb7ed1d1887528be0862b21c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f3de4080afed1657600f06a13fe8e65

SHA1
38a70b9a6458e832935e9bda55e0f42d4e3df9af

SHA256
34b90db4f9753c29258c375f7005a1fae0ebc200c872a7a408a2e99e47952f4c

SHA512
241e31da9fafaaa8cc830d25cfa8acf216fc493fa43f32fc88057f66074ef3cde1d504b2b6a047383c16723c9f9472b23b1c22d624133b8a67e6bd8741eea19c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b4f4f237d27c25085a4771db397df45

SHA1
460803e699ea2b8dd7b76768bb7a31efc6bd2b2e

SHA256
f98df9eb0539b003fbeca995e52471c86bf730e73ac2ed1dc17a7638871a391c

SHA512
031f8506e0ec670d732b948d3633db9a0a8994a9c7bd3dbd368326c217ce0142b925923ac4f146468bf3812268a7ddaf82edbbeb1e73f23e30a5e52227f739c0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1babb0b77acffda382737eef16a87bfa

SHA1
d3edef15afb5fc742ef05345f712aaf172f53f45

SHA256
df07418a1f293b05c5260bb1d89dd73463c658ddef167e9d003048b5e283eefd

SHA512
d1337da5541b82afef89fca21cd0983aadc57de59ad302e1b78b7fa4e35e4e0f25dcd1bb520771193ed05e3396f6eac86b5dedb90a7122043c88309115c5d0cf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab74F5.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar7509.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar7714.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www6799.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www67AA.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
672bf5221df7cfa615ee2df78ca7a7f8

SHA1
b88932ab60595f44293ca982666c6af91031d804

SHA256
9156880248f070545886e5dce9498542676b560ebbfe4a59e443fae81718008f

SHA512
f6c3a2582b0104ad2c8a1ecb12e2901dd9694c710854237319737caecb5a656175c49c3912303c850f663c71d69a5a4b46f40866bc070e3865573aa39590b25b

Download Submit
memory/2768-31-0x0000000001C20000-0x0000000001C26000-memory.dmp

Filesize
24KB

Download
memory/2768-32-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2768-33-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/2768-34-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2768-26-0x0000000013140000-0x00000000131EC000-memory.dmp

Filesize
688KB

Download
memory/2768-35-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/2768-36-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2768-37-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/2768-27-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2768-168-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2768-167-0x0000000013140000-0x00000000131EC000-memory.dmp

Filesize
688KB

Download
memory/2804-17-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2804-46-0x0000000013140000-0x00000000131EC000-memory.dmp

Filesize
688KB

Download
memory/2804-47-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2804-12-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2804-13-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2804-14-0x0000000001D70000-0x0000000001D72000-memory.dmp

Filesize
8KB

Download
memory/2804-15-0x0000000001D60000-0x0000000001D66000-memory.dmp

Filesize
24KB

Download
memory/2804-16-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2804-0-0x0000000013140000-0x00000000131EC000-memory.dmp

Filesize
688KB

Download
memory/2804-18-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2804-19-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2804-20-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2804-21-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2804-22-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2804-23-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2804-24-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2804-2-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2804-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2804-5-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2804-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2804-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2804-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-9-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads