972e7d3eca32a40fcc044f8d826d1e04bea3d60c903c6f1b3490361db513bc58

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe
Size

1.3MB
MD5

97f427eba588cc8ddb5bb4060d4da670
SHA1

e775ac83614dbd26f33265a9f2efc47a326072f4
SHA256

972e7d3eca32a40fcc044f8d826d1e04bea3d60c903c6f1b3490361db513bc58
SHA512

d47aabe258d394e118f505deda8b71524bd76a76e0a589916fe41ec316cf8b0134b6baeb7e8d08e6e38f6772d571964023934b86783610f69cec6421b470ab01
SSDEEP

24576:LzDQmjrlwrHfz12dZYaVrbaGPL3e3Z+h9QxUCh1tMsTX+:3DtR6r12dnNbaILmEhGxHvq

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 63 IoCs

pid	Process
2416	500.exe
2844	Install.exe
2796	50.exe
2924	50.exe
2636	50.exe
2616	50.exe
1948	50.exe
2112	50.exe
3052	50.exe
1684	10.exe
1816	50.exe
1248	50.exe
1264	50.exe
2100	10.exe
1496	10.exe
1316	10.exe
1864	10.exe
2736	10.exe
2940	10.exe
1560	10.exe
2036	ICL.exe
2212	10.exe
2984	10.exe
2876	10.exe
2468	10.exe
2248	10.exe
2424	10.exe
2476	10.exe
2276	10.exe
2268	10.exe
2260	10.exe
1876	10.exe
900	10.exe
2320	10.exe
960	10.exe
596	10.exe
1620	10.exe
1060	10.exe
2456	10.exe
864	10.exe
2920	10.exe
1480	10.exe
3016	10.exe
3024	10.exe
1004	10.exe
1544	10.exe
2300	10.exe
2504	10.exe
2156	10.exe
1596	10.exe
2840	10.exe
2388	10.exe
2788	10.exe
2376	10.exe
2168	10.exe
2764	10.exe
1636	10.exe
2760	10.exe
1956	10.exe
2196	10.exe
2652	10.exe
2752	10.exe
2708	10.exe

Loads dropped DLL 64 IoCs

pid	Process
2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe
2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe
2416	500.exe
2416	500.exe
2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2844	Install.exe
2844	Install.exe
2796	50.exe
2796	50.exe
2796	50.exe
2416	500.exe
2416	500.exe
2924	50.exe
2924	50.exe
2924	50.exe
2636	50.exe
2636	50.exe
2636	50.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2616	50.exe
2616	50.exe
2616	50.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
2416	500.exe
1948	50.exe
1948	50.exe
1948	50.exe
2416	500.exe
2416	500.exe
2112	50.exe
2112	50.exe
2112	50.exe
2796	50.exe
2636	50.exe
2796	50.exe
1684	10.exe
1684	10.exe
1684	10.exe
3052	50.exe
3052	50.exe
3052	50.exe
2636	50.exe
2796	50.exe
1816	50.exe
1816	50.exe
2636	50.exe
2616	50.exe
1948	50.exe
1816	50.exe
2924	50.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICL Start = "C:\\Windows\\SysWOW64\\JNNXXI\\ICL.exe"	ICL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\JNNXXI\ICL.001	Install.exe
File created	C:\Windows\SysWOW64\JNNXXI\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\JNNXXI\	ICL.exe
File opened for modification	C:\Windows\SysWOW64\JNNXXI\ICL.008	ICL.exe
File created	C:\Windows\SysWOW64\JNNXXI\App_Aug_14_2024__22_37_30.html	ICL.exe
File created	C:\Windows\SysWOW64\JNNXXI\ICL.004	Install.exe
File created	C:\Windows\SysWOW64\JNNXXI\ICL.002	Install.exe
File created	C:\Windows\SysWOW64\JNNXXI\ICL.003	Install.exe
File created	C:\Windows\SysWOW64\JNNXXI\ICL.exe	Install.exe
File created	C:\Windows\SysWOW64\JNNXXI\ICL.008	ICL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	ICL.exe
2036	ICL.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2036	ICL.exe
Token: SeIncBasePriorityPrivilege	2036	ICL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2036	ICL.exe
2036	ICL.exe
2036	ICL.exe
2036	ICL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2416	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2960 wrote to memory of 2844	2960	97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2796	2416	500.exe	32
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2924	2416	500.exe	33
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 2636	2416	500.exe	34
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 3052	2416	500.exe	35
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 2616	2416	500.exe	36
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1816	2416	500.exe	37
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1948	2416	500.exe	38
PID 2416 wrote to memory of 1248	2416	500.exe	39

C:\Users\Admin\AppData\Local\Temp\97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97f427eba588cc8ddb5bb4060d4da670_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\500.exe
  "C:\Users\Admin\AppData\Local\Temp\500.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2456
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2388
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:960
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:596
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3016
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Users\Admin\AppData\Local\Temp\50.exe
    "C:\Users\Admin\AppData\Local\Temp\50.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2840
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Windows\SysWOW64\JNNXXI\ICL.exe
    "C:\Windows\system32\JNNXXI\ICL.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JNNXXI\Aug_14_2024__22_37_30.008

Filesize
9KB

MD5
de321aa49067725bbd8a7b437cd81717

SHA1
5680d741f1b02be9203b5b512adbc38e93035b7c

SHA256
60d398f5f27feb54e9a7ff0ceb2729d97d6fa8d5e2d6ca2acd9e8186220f524a

SHA512
987179d747541a9b984744f0a7cba2c62f0b4e84bca75577ecaa2d9c7ea7659e765961aee92bd5e3fd04bc9feb7d4d37edfdeffcaa59413c4f23543475c717a7

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
731B

MD5
24ff2c356a9e456e6062e90b4d511158

SHA1
6bfb38fce599fcccc16110e5ce6324d25ec680ad

SHA256
1d8f2809a9b68ab2840dbb9609fc45793c408279687c59941fcccd885573f10c

SHA512
512b3eb86781a5b167c2bfff301403638e107fe7b824302c3f579eb44f003d92c286b62e4d116dfb5775e3cf6f0f02938487deb0671557a05b7cbea648db950e

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
977B

MD5
8198f2c0b3a0ec625cef0e64b3ef90c8

SHA1
3c92f622a5855f40563b322c547049de29780443

SHA256
61de5231c90e62f142e1a36c01543f885472606685c03bf815f20542acfd12e8

SHA512
9d8c38c9c84abd2c451eae0afc3f83d8cbaf5b03fd3a81b99d1affe3120cb5688aaae78ef1feb264925b6a2387e576870d08d9b09a0f89623150fb2fd43434f2

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
1KB

MD5
1b810d63ed6459165d725517c212ad9f

SHA1
8253e54ecdfbde7bfe86fd9d02d96cf67d9423e1

SHA256
803fb254e875f4f5e576ff5047385fcb946f62dee00205013245b590ddabfa00

SHA512
fbdeef09490b45522a856a6ccc80ccae9f098aa139e22f5c97074503ae342ef3bcd0dfc75899758f53c95402c8c083b67f594c4c6332aa99fbfc2cccd97735b0

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
2KB

MD5
2accdc5d54ad2465cba2dbd57493afae

SHA1
421c4a9a3cabfa30a2485fb2082117210bfef007

SHA256
5c54f9028baf9a421772c536e757280f2c1e97b58f49ef70e9f1977519f050c4

SHA512
1e330fdc161fd72d60b7fb5d94f365bee2763459605c01a07a42823591cb41b2ba7422d6c29400fc3fe3a24c3fa42095b873c931119b6d36da16028a615d2fc4

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
2KB

MD5
7ed990c6fb1b2620139b37fd8f55d79d

SHA1
eff12ad233862ca402660475cf9453616570664e

SHA256
91063335902ac915c8d19c7a7ee53dac164920403838dfb094f916c1c23ca6bf

SHA512
2bf407f2a0b21518a9321d0d8b5b8a48acfa9e33f1ae3a3ceb566c5719b9ae24df1c1a42e0995fb94cae1be93062c7bd992c43c1344be4b3d6999287042ca7c5

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
3KB

MD5
c2588f318ac9a32fbf8cdd04cbeeaf77

SHA1
816c9a4cf64ee850bd95cc4a336e611d3deb008c

SHA256
b774c2d0803783105972d32115c5f49d8b70bf219c224708da976c2b4b768518

SHA512
91854781fdccabb7acdb4618f485de335f8385bf1e85fd1e03ac99c60a688865dd4793738250ee318670d05ed5bcecb0c3db0bdcbab327a3f729302ba33cf3fd

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
3KB

MD5
db24a9412fea26f1d77af8f2130f57f5

SHA1
b656f2949a9f2d83803f89ae717db7e4efb11b12

SHA256
d755a683888530098521ed81850d33af1f8349defa8698179a8b79a07ce3db86

SHA512
635706acd96c6a7524638d074ab7405d8271cdb5f2d9f09f7f7b461f047015925a454e5b41281fe8a85c12f68fdef4da90f29b181ab65604d17936e706936b16

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
5KB

MD5
86c2f9d8a4507caa2c1f419108058489

SHA1
cbb38627ba73794f20d077eb199e055c78711aa4

SHA256
1ee9ca8ba0eb0a69ed2db5e6c82ebd077e0ba630b2efff31a696ab2714a97c5b

SHA512
1a18e896b02d40495dcb7c554add031b367c93a5d363c465ea537b66d0ed0ac6f8ff9ee23f9dc8207a3464f1779aa428b180f9675b26c42840f56d0d6302ba8c

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
5KB

MD5
1714eb71ab0f4c5780de27e29727a855

SHA1
c70d44a85b0a830bf85661bf0ac8c3149f48e288

SHA256
07c60597ce17eaafd69206aca1d6378b49082810eab8eeda322e21d16483d777

SHA512
6f39a4b6cd35ca0ad556cd9f35f5c7375ae6021d62afd60ad163f0cba2e975f68343cf6f58f03477a0118158e9852647ed555890aef6cc6f0d03b9c03a45fad0

Download Submit
C:\Windows\SysWOW64\JNNXXI\ICL.008

Filesize
9KB

MD5
c4c5968e52ae371c6bf3a1821d7ab691

SHA1
db92b08cd1af603b104284e1f786227fe66b82a8

SHA256
a7484f40c4b065cc68eb99681fdfd2bf89eb9bdb0c926fe23a385e1bcf658561

SHA512
5278faeba3a6329c1cb8a270415ba4fa5ee76615115c0e6cd3a1e2554b475fb468d3692b920e176e5552bf2d7ec7f0ad7eb4e248d260c5fe4ccc2072efc9c425

Download Submit
\Users\Admin\AppData\Local\Temp\10.exe

Filesize
48KB

MD5
ae5e5a4efb4f9fffa45d4ea936882a8b

SHA1
e9ebfb4faac90fc7062d2809552a166f19986b0d

SHA256
9ca5055d1a224f0f0f7b2cf9f6a12bd6a7b2af5b915703608ef34c14a70fb580

SHA512
2d275f765c1954a27496760d7b71f14f373d70ff1a8469cc26d7057f775fab387e9ea2be4996a457c1297cbe2f58b1121c1bb2bdc2d427e779348175bda0cee1

Download Submit
\Users\Admin\AppData\Local\Temp\50.exe

Filesize
69KB

MD5
9b247e26a463073089a436d9a4d331dd

SHA1
8a4da3610f1c13eb844f0d29f9fe03819f3d9197

SHA256
f5ad628810a990c0dd48f61f4966556e99f57f394d8ece12239f06da8ada871f

SHA512
6951a1c7ebb8cc102db81614d1781b3a4cd1f355cb12db7e05632413182c01bd50bb63dd731e8d7aafe04999d1a75fb61a1f184609a6bfc35be4ea5f25f3f27e

Download Submit
\Users\Admin\AppData\Local\Temp\500.exe

Filesize
91KB

MD5
d3724a13045976a5cc8c9205d54f4833

SHA1
0e48d4b76514fcfeea7e70ba46f8d353e01b156f

SHA256
44f80909da076d42c1c53d49c2d774a29b0b057d68e1cb2a58f215ddf103a268

SHA512
fe98ce8b408425c6d55b6038ffbccfc056eac4b8129890f53d8391a6f90444b92f873538068a894a1628190fd90d25800d80042937c7cb242a7d303eb74db409

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.2MB

MD5
cc6d3e63801f0185a1613d3bec64d352

SHA1
f0e885069736fe4cbba281c89bf6755936ca2c98

SHA256
cc88c63b7661c17f4b193caaa8f3f4fa0216f5621fd57217e370f28dbc576509

SHA512
232d23fa198e0447a8b1dbdbfe02aaf214672a15d92bc6456d13a150d845b867bbd5dc176e1739158756a8f6753c606177c07df4768c6e56880c18aedbfb0955

Download Submit