Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 05:21
Static task
static1
Behavioral task
behavioral1
Sample
c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
-
Size
812KB
-
MD5
c25bab4d90ee29cc8a07c8c28e8094bd
-
SHA1
81c0131227b99015cc3f89c7bd7edf871a20e19d
-
SHA256
d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57
-
SHA512
61d42c69d4f181394802e212d243bbb3cd25d70e9dee41de5d2bd3e0bf75303628a89501915f0341719021c10226123fc4862191134f382cae8889d631616836
-
SSDEEP
24576:XDDbCLHCz4d67gpgy8Z5WZZAztVm8oyCcW7:TSTRw4gyhrAzrc
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\googsvc.exe = "C:\\Windows\\Temp\\googsvc.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\drivergen.exe = "C:\\Users\\Admin\\AppData\\Roaming\\drivergen.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chksvc32 .exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chksvc32 .exe cmd.exe -
Executes dropped EXE 15 IoCs
pid Process 4864 googsvc.exe 2800 chksvc32 .exe 2028 googsvc.exe 1468 chksvc32 .exe 2824 googsvc.exe 792 chksvc32 .exe 1640 googsvc.exe 2840 chksvc32 .exe 1644 googsvc.exe 2376 chksvc32 .exe 2272 googsvc.exe 3444 chksvc32 .exe 3460 googsvc.exe 3304 chksvc32 .exe 3068 googsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chksvc32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chksvc32 .exe" c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 4100 set thread context of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 2800 set thread context of 2028 2800 chksvc32 .exe 121 PID 1468 set thread context of 2824 1468 chksvc32 .exe 130 PID 792 set thread context of 1640 792 chksvc32 .exe 136 PID 2840 set thread context of 1644 2840 chksvc32 .exe 143 PID 2376 set thread context of 2272 2376 chksvc32 .exe 153 PID 3444 set thread context of 3460 3444 chksvc32 .exe 162 PID 3304 set thread context of 3068 3304 chksvc32 .exe 171 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language googsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chksvc32 .exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4604 PING.EXE 5076 PING.EXE 1796 PING.EXE 2792 PING.EXE 4816 PING.EXE 3480 PING.EXE 4448 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3456 reg.exe 2324 reg.exe 3964 reg.exe 1880 reg.exe -
Runs ping.exe 1 TTPs 7 IoCs
pid Process 4816 PING.EXE 3480 PING.EXE 4448 PING.EXE 4604 PING.EXE 5076 PING.EXE 1796 PING.EXE 2792 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 2800 chksvc32 .exe 2800 chksvc32 .exe 2800 chksvc32 .exe 2800 chksvc32 .exe 2800 chksvc32 .exe 2800 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 1468 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 792 chksvc32 .exe 2840 chksvc32 .exe 2840 chksvc32 .exe 2840 chksvc32 .exe 2840 chksvc32 .exe 2840 chksvc32 .exe 2840 chksvc32 .exe 2840 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 2376 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3444 chksvc32 .exe 3304 chksvc32 .exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe Token: 1 4864 googsvc.exe Token: SeCreateTokenPrivilege 4864 googsvc.exe Token: SeAssignPrimaryTokenPrivilege 4864 googsvc.exe Token: SeLockMemoryPrivilege 4864 googsvc.exe Token: SeIncreaseQuotaPrivilege 4864 googsvc.exe Token: SeMachineAccountPrivilege 4864 googsvc.exe Token: SeTcbPrivilege 4864 googsvc.exe Token: SeSecurityPrivilege 4864 googsvc.exe Token: SeTakeOwnershipPrivilege 4864 googsvc.exe Token: SeLoadDriverPrivilege 4864 googsvc.exe Token: SeSystemProfilePrivilege 4864 googsvc.exe Token: SeSystemtimePrivilege 4864 googsvc.exe Token: SeProfSingleProcessPrivilege 4864 googsvc.exe Token: SeIncBasePriorityPrivilege 4864 googsvc.exe Token: SeCreatePagefilePrivilege 4864 googsvc.exe Token: SeCreatePermanentPrivilege 4864 googsvc.exe Token: SeBackupPrivilege 4864 googsvc.exe Token: SeRestorePrivilege 4864 googsvc.exe Token: SeShutdownPrivilege 4864 googsvc.exe Token: SeDebugPrivilege 4864 googsvc.exe Token: SeAuditPrivilege 4864 googsvc.exe Token: SeSystemEnvironmentPrivilege 4864 googsvc.exe Token: SeChangeNotifyPrivilege 4864 googsvc.exe Token: SeRemoteShutdownPrivilege 4864 googsvc.exe Token: SeUndockPrivilege 4864 googsvc.exe Token: SeSyncAgentPrivilege 4864 googsvc.exe Token: SeEnableDelegationPrivilege 4864 googsvc.exe Token: SeManageVolumePrivilege 4864 googsvc.exe Token: SeImpersonatePrivilege 4864 googsvc.exe Token: SeCreateGlobalPrivilege 4864 googsvc.exe Token: 31 4864 googsvc.exe Token: 32 4864 googsvc.exe Token: 33 4864 googsvc.exe Token: 34 4864 googsvc.exe Token: 35 4864 googsvc.exe Token: SeDebugPrivilege 2800 chksvc32 .exe Token: SeDebugPrivilege 1468 chksvc32 .exe Token: SeDebugPrivilege 792 chksvc32 .exe Token: SeDebugPrivilege 2840 chksvc32 .exe Token: SeDebugPrivilege 2376 chksvc32 .exe Token: SeDebugPrivilege 3444 chksvc32 .exe Token: SeDebugPrivilege 3304 chksvc32 .exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 4864 googsvc.exe 4864 googsvc.exe 4864 googsvc.exe 2028 googsvc.exe 2028 googsvc.exe 2824 googsvc.exe 2824 googsvc.exe 1640 googsvc.exe 1640 googsvc.exe 1644 googsvc.exe 1644 googsvc.exe 2272 googsvc.exe 2272 googsvc.exe 3460 googsvc.exe 3460 googsvc.exe 3068 googsvc.exe 3068 googsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 2984 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 85 PID 4100 wrote to memory of 2984 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 85 PID 4100 wrote to memory of 2984 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 85 PID 2984 wrote to memory of 1028 2984 cmd.exe 87 PID 2984 wrote to memory of 1028 2984 cmd.exe 87 PID 2984 wrote to memory of 1028 2984 cmd.exe 87 PID 4100 wrote to memory of 3884 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 88 PID 4100 wrote to memory of 3884 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 88 PID 4100 wrote to memory of 3884 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 88 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 4864 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 89 PID 4100 wrote to memory of 1716 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 90 PID 4100 wrote to memory of 1716 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 90 PID 4100 wrote to memory of 1716 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 90 PID 4100 wrote to memory of 4160 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 91 PID 4100 wrote to memory of 4160 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 91 PID 4100 wrote to memory of 4160 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 91 PID 4864 wrote to memory of 3692 4864 googsvc.exe 93 PID 4864 wrote to memory of 3692 4864 googsvc.exe 93 PID 4864 wrote to memory of 3692 4864 googsvc.exe 93 PID 4864 wrote to memory of 4132 4864 googsvc.exe 94 PID 4864 wrote to memory of 4132 4864 googsvc.exe 94 PID 4864 wrote to memory of 4132 4864 googsvc.exe 94 PID 4864 wrote to memory of 4916 4864 googsvc.exe 95 PID 4864 wrote to memory of 4916 4864 googsvc.exe 95 PID 4864 wrote to memory of 4916 4864 googsvc.exe 95 PID 4864 wrote to memory of 4296 4864 googsvc.exe 96 PID 4864 wrote to memory of 4296 4864 googsvc.exe 96 PID 4864 wrote to memory of 4296 4864 googsvc.exe 96 PID 1028 wrote to memory of 3972 1028 wscript.exe 101 PID 1028 wrote to memory of 3972 1028 wscript.exe 101 PID 1028 wrote to memory of 3972 1028 wscript.exe 101 PID 4916 wrote to memory of 3456 4916 cmd.exe 103 PID 4916 wrote to memory of 3456 4916 cmd.exe 103 PID 4916 wrote to memory of 3456 4916 cmd.exe 103 PID 4132 wrote to memory of 2324 4132 cmd.exe 104 PID 4132 wrote to memory of 2324 4132 cmd.exe 104 PID 4132 wrote to memory of 2324 4132 cmd.exe 104 PID 3692 wrote to memory of 3964 3692 cmd.exe 105 PID 3692 wrote to memory of 3964 3692 cmd.exe 105 PID 3692 wrote to memory of 3964 3692 cmd.exe 105 PID 4296 wrote to memory of 1880 4296 cmd.exe 106 PID 4296 wrote to memory of 1880 4296 cmd.exe 106 PID 4296 wrote to memory of 1880 4296 cmd.exe 106 PID 4100 wrote to memory of 4180 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 116 PID 4100 wrote to memory of 4180 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 116 PID 4100 wrote to memory of 4180 4100 c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe 116 PID 4180 wrote to memory of 1796 4180 cmd.exe 118 PID 4180 wrote to memory of 1796 4180 cmd.exe 118 PID 4180 wrote to memory of 1796 4180 cmd.exe 118 PID 4180 wrote to memory of 2800 4180 cmd.exe 119 PID 4180 wrote to memory of 2800 4180 cmd.exe 119 PID 4180 wrote to memory of 2800 4180 cmd.exe 119 PID 2800 wrote to memory of 3944 2800 chksvc32 .exe 120 PID 2800 wrote to memory of 3944 2800 chksvc32 .exe 120 PID 2800 wrote to memory of 3944 2800 chksvc32 .exe 120 PID 2800 wrote to memory of 2028 2800 chksvc32 .exe 121 PID 2800 wrote to memory of 2028 2800 chksvc32 .exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:3972
-
-
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe2⤵PID:3884
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\googsvc.exe" /t REG_SZ /d "C:\Windows\Temp\googsvc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\googsvc.exe" /t REG_SZ /d "C:\Windows\Temp\googsvc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1880
-
-
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe2⤵PID:1716
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe2⤵PID:4160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:3944
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4852
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4804
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4220
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:2656
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4592
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:3960
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:468
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:1792
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3480
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:2352
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:1796
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:1308
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:3608
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:3552
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4452
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4604
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4792
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3460
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:4468
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:1724
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:1456
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:5016
-
-
C:\Windows\Temp\googsvc.exeC:\Windows\Temp\googsvc.exe4⤵PID:3132
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499B
MD517f7e5c69c4f1dc984a9810dde3b6982
SHA1601b5cf990955dabd1693049c2ed13b9ee2d2bd9
SHA25688f6579fa5ec5ee4040bc0cc74ff0f95966ccfb0181342f51362c42cc10cee12
SHA512a48162a368d358fe99876d95f0389f07bcbe0f689b741db722d284dbb43dfdeccb0589cc64cb0bad379333bcdbb88c0d3fba7d419572216a219907e2cf501df1
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
47B
MD581bf5400486e5da45ba0c6c1399d843f
SHA1d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d
SHA256d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1
SHA512ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140
-
Filesize
151B
MD5f73f12c228d1739deaf18b076fa97cc5
SHA19a66b62b35fb1a25100d45850033bc2743ff38c9
SHA256d73fdd571ff32309fbaae805207a4c1dae63b10de34f2559794ad90ffafeab6f
SHA512ee8a46e408db8d70834c37059c6b85638818c90f2f1a7387f68bb80e90e879c1dc9527e2f7265f3d953703f16859520b640bca70de4f269e9854306120ede530
-
Filesize
111B
MD59f5ca9584ebfaf1e7edec5f5e063edc4
SHA18ad29316bb42023ef7fb22e5023d14c223fcee68
SHA256ab348f675a736ec52b56896512a30e1b5fdf0546f1f4686ed908d318a2ca5309
SHA5120f4d6711b5697ddc093e448809d8b462d384d8ba38ed81dc31069a0529477defbb537f2d5be9c0d61c277aa7e8700a82ae12d4c39e939661a310d280b1551585
-
Filesize
812KB
MD5c25bab4d90ee29cc8a07c8c28e8094bd
SHA181c0131227b99015cc3f89c7bd7edf871a20e19d
SHA256d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57
SHA51261d42c69d4f181394802e212d243bbb3cd25d70e9dee41de5d2bd3e0bf75303628a89501915f0341719021c10226123fc4862191134f382cae8889d631616836
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34