d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
Size

812KB
MD5

c25bab4d90ee29cc8a07c8c28e8094bd
SHA1

81c0131227b99015cc3f89c7bd7edf871a20e19d
SHA256

d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57
SHA512

61d42c69d4f181394802e212d243bbb3cd25d70e9dee41de5d2bd3e0bf75303628a89501915f0341719021c10226123fc4862191134f382cae8889d631616836
SSDEEP

24576:XDDbCLHCz4d67gpgy8Z5WZZAztVm8oyCcW7:TSTRw4gyhrAzrc

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\googsvc.exe = "C:\\Windows\\Temp\\googsvc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\drivergen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\drivergen.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chksvc32 .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chksvc32 .exe	cmd.exe

Executes dropped EXE 39 IoCs

pid	Process
2660	googsvc.exe
2740	googsvc.exe
2680	googsvc.exe
2220	googsvc.exe
2372	chksvc32 .exe
2300	googsvc.exe
2164	googsvc.exe
2784	googsvc.exe
2280	googsvc.exe
1764	chksvc32 .exe
1580	googsvc.exe
1684	googsvc.exe
1884	googsvc.exe
832	googsvc.exe
2088	chksvc32 .exe
568	googsvc.exe
2460	googsvc.exe
840	googsvc.exe
1524	googsvc.exe
2608	chksvc32 .exe
2636	googsvc.exe
536	googsvc.exe
1212	googsvc.exe
2616	googsvc.exe
3064	chksvc32 .exe
1876	googsvc.exe
2864	googsvc.exe
1052	googsvc.exe
2504	googsvc.exe
2848	chksvc32 .exe
1456	googsvc.exe
1240	googsvc.exe
2272	googsvc.exe
1780	googsvc.exe
1100	chksvc32 .exe
2192	googsvc.exe
1396	googsvc.exe
1640	googsvc.exe
1644	googsvc.exe

Loads dropped DLL 18 IoCs

pid	Process
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe
2276	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\chksvc32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chksvc32 .exe"	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2372 set thread context of 2300	2372	chksvc32 .exe	56
PID 1764 set thread context of 1580	1764	chksvc32 .exe	63
PID 2088 set thread context of 568	2088	chksvc32 .exe	69
PID 2608 set thread context of 2636	2608	chksvc32 .exe	75
PID 3064 set thread context of 1876	3064	chksvc32 .exe	81
PID 2848 set thread context of 1456	2848	chksvc32 .exe	87
PID 1100 set thread context of 2192	1100	chksvc32 .exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chksvc32 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googsvc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1652	PING.EXE
2544	PING.EXE
2968	PING.EXE
2236	PING.EXE
2768	PING.EXE
2120	PING.EXE
1456	PING.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2584	reg.exe
2972	reg.exe
3064	reg.exe
3016	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2120	PING.EXE
1456	PING.EXE
1652	PING.EXE
2544	PING.EXE
2968	PING.EXE
2236	PING.EXE
2768	PING.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
2372	chksvc32 .exe
2372	chksvc32 .exe
2372	chksvc32 .exe
2372	chksvc32 .exe
2372	chksvc32 .exe
2372	chksvc32 .exe
1764	chksvc32 .exe
1764	chksvc32 .exe
1764	chksvc32 .exe
1764	chksvc32 .exe
1764	chksvc32 .exe
1764	chksvc32 .exe
2088	chksvc32 .exe
2088	chksvc32 .exe
2088	chksvc32 .exe
2088	chksvc32 .exe
2088	chksvc32 .exe
2088	chksvc32 .exe
2608	chksvc32 .exe
2608	chksvc32 .exe
2608	chksvc32 .exe
2608	chksvc32 .exe
2608	chksvc32 .exe
2608	chksvc32 .exe
3064	chksvc32 .exe
3064	chksvc32 .exe
3064	chksvc32 .exe
3064	chksvc32 .exe
3064	chksvc32 .exe
3064	chksvc32 .exe
2848	chksvc32 .exe
2848	chksvc32 .exe
2848	chksvc32 .exe
2848	chksvc32 .exe
2848	chksvc32 .exe
2848	chksvc32 .exe
1100	chksvc32 .exe
1100	chksvc32 .exe
1100	chksvc32 .exe
1100	chksvc32 .exe
1100	chksvc32 .exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
Token: 1	2660	googsvc.exe
Token: SeCreateTokenPrivilege	2660	googsvc.exe
Token: SeAssignPrimaryTokenPrivilege	2660	googsvc.exe
Token: SeLockMemoryPrivilege	2660	googsvc.exe
Token: SeIncreaseQuotaPrivilege	2660	googsvc.exe
Token: SeMachineAccountPrivilege	2660	googsvc.exe
Token: SeTcbPrivilege	2660	googsvc.exe
Token: SeSecurityPrivilege	2660	googsvc.exe
Token: SeTakeOwnershipPrivilege	2660	googsvc.exe
Token: SeLoadDriverPrivilege	2660	googsvc.exe
Token: SeSystemProfilePrivilege	2660	googsvc.exe
Token: SeSystemtimePrivilege	2660	googsvc.exe
Token: SeProfSingleProcessPrivilege	2660	googsvc.exe
Token: SeIncBasePriorityPrivilege	2660	googsvc.exe
Token: SeCreatePagefilePrivilege	2660	googsvc.exe
Token: SeCreatePermanentPrivilege	2660	googsvc.exe
Token: SeBackupPrivilege	2660	googsvc.exe
Token: SeRestorePrivilege	2660	googsvc.exe
Token: SeShutdownPrivilege	2660	googsvc.exe
Token: SeDebugPrivilege	2660	googsvc.exe
Token: SeAuditPrivilege	2660	googsvc.exe
Token: SeSystemEnvironmentPrivilege	2660	googsvc.exe
Token: SeChangeNotifyPrivilege	2660	googsvc.exe
Token: SeRemoteShutdownPrivilege	2660	googsvc.exe
Token: SeUndockPrivilege	2660	googsvc.exe
Token: SeSyncAgentPrivilege	2660	googsvc.exe
Token: SeEnableDelegationPrivilege	2660	googsvc.exe
Token: SeManageVolumePrivilege	2660	googsvc.exe
Token: SeImpersonatePrivilege	2660	googsvc.exe
Token: SeCreateGlobalPrivilege	2660	googsvc.exe
Token: 31	2660	googsvc.exe
Token: 32	2660	googsvc.exe
Token: 33	2660	googsvc.exe
Token: 34	2660	googsvc.exe
Token: 35	2660	googsvc.exe
Token: SeDebugPrivilege	2372	chksvc32 .exe
Token: SeDebugPrivilege	1764	chksvc32 .exe
Token: SeDebugPrivilege	2088	chksvc32 .exe
Token: SeDebugPrivilege	2608	chksvc32 .exe
Token: SeDebugPrivilege	3064	chksvc32 .exe
Token: SeDebugPrivilege	2848	chksvc32 .exe
Token: SeDebugPrivilege	1100	chksvc32 .exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2660	googsvc.exe
2660	googsvc.exe
2660	googsvc.exe
2300	googsvc.exe
2300	googsvc.exe
1580	googsvc.exe
1580	googsvc.exe
568	googsvc.exe
568	googsvc.exe
2636	googsvc.exe
2636	googsvc.exe
1876	googsvc.exe
1876	googsvc.exe
1456	googsvc.exe
1456	googsvc.exe
2192	googsvc.exe
2192	googsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2876	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2876	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2876	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2876	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2772	2876	cmd.exe	32
PID 2876 wrote to memory of 2772	2876	cmd.exe	32
PID 2876 wrote to memory of 2772	2876	cmd.exe	32
PID 2876 wrote to memory of 2772	2876	cmd.exe	32
PID 2844 wrote to memory of 2740	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	33
PID 2844 wrote to memory of 2740	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	33
PID 2844 wrote to memory of 2740	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	33
PID 2844 wrote to memory of 2740	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	33
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2660	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	34
PID 2844 wrote to memory of 2680	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	35
PID 2844 wrote to memory of 2680	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	35
PID 2844 wrote to memory of 2680	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	35
PID 2844 wrote to memory of 2680	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	35
PID 2844 wrote to memory of 2220	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	36
PID 2844 wrote to memory of 2220	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	36
PID 2844 wrote to memory of 2220	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	36
PID 2844 wrote to memory of 2220	2844	c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe	36
PID 2772 wrote to memory of 264	2772	wscript.exe	37
PID 2772 wrote to memory of 264	2772	wscript.exe	37
PID 2772 wrote to memory of 264	2772	wscript.exe	37
PID 2772 wrote to memory of 264	2772	wscript.exe	37
PID 2660 wrote to memory of 2236	2660	googsvc.exe	39
PID 2660 wrote to memory of 2236	2660	googsvc.exe	39
PID 2660 wrote to memory of 2236	2660	googsvc.exe	39
PID 2660 wrote to memory of 2236	2660	googsvc.exe	39
PID 2660 wrote to memory of 1052	2660	googsvc.exe	40
PID 2660 wrote to memory of 1052	2660	googsvc.exe	40
PID 2660 wrote to memory of 1052	2660	googsvc.exe	40
PID 2660 wrote to memory of 1052	2660	googsvc.exe	40
PID 2660 wrote to memory of 2012	2660	googsvc.exe	41
PID 2660 wrote to memory of 2012	2660	googsvc.exe	41
PID 2660 wrote to memory of 2012	2660	googsvc.exe	41
PID 2660 wrote to memory of 2012	2660	googsvc.exe	41
PID 2660 wrote to memory of 2072	2660	googsvc.exe	43
PID 2660 wrote to memory of 2072	2660	googsvc.exe	43
PID 2660 wrote to memory of 2072	2660	googsvc.exe	43
PID 2660 wrote to memory of 2072	2660	googsvc.exe	43
PID 2236 wrote to memory of 2584	2236	cmd.exe	47
PID 2236 wrote to memory of 2584	2236	cmd.exe	47
PID 2236 wrote to memory of 2584	2236	cmd.exe	47
PID 2236 wrote to memory of 2584	2236	cmd.exe	47
PID 2012 wrote to memory of 3016	2012	cmd.exe	48
PID 2012 wrote to memory of 3016	2012	cmd.exe	48
PID 2012 wrote to memory of 3016	2012	cmd.exe	48
PID 2012 wrote to memory of 3016	2012	cmd.exe	48
PID 1052 wrote to memory of 3064	1052	cmd.exe	49
PID 1052 wrote to memory of 3064	1052	cmd.exe	49
PID 1052 wrote to memory of 3064	1052	cmd.exe	49
PID 1052 wrote to memory of 3064	1052	cmd.exe	49
PID 2072 wrote to memory of 2972	2072	cmd.exe	50
PID 2072 wrote to memory of 2972	2072	cmd.exe	50
PID 2072 wrote to memory of 2972	2072	cmd.exe	50
PID 2072 wrote to memory of 2972	2072	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:264
- C:\Windows\Temp\googsvc.exe
  C:\Windows\Temp\googsvc.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Temp\googsvc.exe
  C:\Windows\Temp\googsvc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\googsvc.exe" /t REG_SZ /d "C:\Windows\Temp\googsvc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\googsvc.exe" /t REG_SZ /d "C:\Windows\Temp\googsvc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2972
- C:\Windows\Temp\googsvc.exe
  C:\Windows\Temp\googsvc.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Temp\googsvc.exe
  C:\Windows\Temp\googsvc.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2276
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2784
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2300
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2164
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2280
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1884
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1580
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:832
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1684
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:840
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:568
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1524
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2460
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2616
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2636
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1212
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:536
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1052
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1876
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2504
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2864
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1780
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1456
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:2272
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1240
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1640
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2192
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1396
  - - C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      4⤵
      Executes dropped EXE
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.bat

Filesize
47B

MD5
81bf5400486e5da45ba0c6c1399d843f

SHA1
d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d

SHA256
d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1

SHA512
ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140

Download Submit
C:\Users\Admin\AppData\Local\Temp\java2.bat

Filesize
151B

MD5
f73f12c228d1739deaf18b076fa97cc5

SHA1
9a66b62b35fb1a25100d45850033bc2743ff38c9

SHA256
d73fdd571ff32309fbaae805207a4c1dae63b10de34f2559794ad90ffafeab6f

SHA512
ee8a46e408db8d70834c37059c6b85638818c90f2f1a7387f68bb80e90e879c1dc9527e2f7265f3d953703f16859520b640bca70de4f269e9854306120ede530

Download Submit
C:\Users\Admin\AppData\Local\Temp\per.bat

Filesize
111B

MD5
9f5ca9584ebfaf1e7edec5f5e063edc4

SHA1
8ad29316bb42023ef7fb22e5023d14c223fcee68

SHA256
ab348f675a736ec52b56896512a30e1b5fdf0546f1f4686ed908d318a2ca5309

SHA512
0f4d6711b5697ddc093e448809d8b462d384d8ba38ed81dc31069a0529477defbb537f2d5be9c0d61c277aa7e8700a82ae12d4c39e939661a310d280b1551585

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
812KB

MD5
c25bab4d90ee29cc8a07c8c28e8094bd

SHA1
81c0131227b99015cc3f89c7bd7edf871a20e19d

SHA256
d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57

SHA512
61d42c69d4f181394802e212d243bbb3cd25d70e9dee41de5d2bd3e0bf75303628a89501915f0341719021c10226123fc4862191134f382cae8889d631616836

Download Submit
C:\Windows\Temp\googsvc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/568-132-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1580-113-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1580-109-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1876-175-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1876-174-0x0000000000470000-0x00000000005F1000-memory.dmp

Filesize
1.5MB

Download
memory/2300-91-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2636-152-0x0000000000470000-0x000000000054F000-memory.dmp

Filesize
892KB

Download
memory/2636-153-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-116-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-179-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-159-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-92-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-94-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-157-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-114-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-60-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-136-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2660-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2844-0-0x0000000074C11000-0x0000000074C12000-memory.dmp

Filesize
4KB

Download
memory/2844-59-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-4-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-1-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-71-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download