a2861984847571ba3749d01e7a1aa899ffc1ad35f7f13c023b7021c0770ac281

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe
Size

3.8MB
MD5

d1881d54c95a0f93575ed136dcf7b611
SHA1

1f4ea5fd2214c92412e87c4bc10d22d5ea970c11
SHA256

a2861984847571ba3749d01e7a1aa899ffc1ad35f7f13c023b7021c0770ac281
SHA512

c55d585ccc583d133c8fb32cca403eae1bb7d73f2b8c08d7581ee6f1157fed06d68dee58a3b3b918cf61e374f12b65fec0952d0a2d7f6cc36c8837f43960ddfb
SSDEEP

49152:H6Po9F7eWtgdKQgtGwIhc89HZDiu0O3r4jPcb7pKjJ0EsxmSknRxYiybFKWX55Mx:H6QXefcQEIh9p0KMj+8IjhbgWJ5a5/HJ

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	Flash10ActiveX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.32.18"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	Flash10ActiveX.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2404	flash10plus.exe
876	Flash10ActiveX.exe
1112	winnt32.exe

Loads dropped DLL 22 IoCs

pid	Process
2664	cmd.exe
2664	cmd.exe
2664	cmd.exe
2664	cmd.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe
876	Flash10ActiveX.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d36-17.dat	upx
behavioral1/memory/2664-30-0x0000000000100000-0x0000000000118000-memory.dmp	upx
behavioral1/memory/1112-46-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\internat = "\"C:\\Windows\\SYSTEM32\\WinUpdate.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safe = "\"C:\\Windows\\repair\\internat.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safetray = "\"C:\\Windows\\SYSTEM32\\win32.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	flash10plus.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll	flash10plus.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_FlashUtil.exe	flash10plus.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash10c.ocx	Flash10ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10c.exe	Flash10ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash10c.ocx	Flash10ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10c.exe	Flash10ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	Flash10ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe	flash10plus.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	Flash10ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	flash10plus.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\repair\winu.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flash10ActiveX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flash10plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2848	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c000000012266-11.dat	nsis_installer_1
behavioral1/files/0x0009000000016d2e-14.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■\ = "http://www.biso.cn/js/menu.asp?menu=soft"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,15"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MenuExt\Google ╦╤╦≈\ = "http://www.biso.cn/js/menu.asp?menu=search"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	Flash10ActiveX.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MenuExt\Google ╦╤╦≈	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Icon = "C:\\Windows\\System32\\shell32.dll,15"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=2"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	Flash10ActiveX.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,15"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10c.exe"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╣╚╕Φ╦╤╦≈"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS\ = "0"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.10"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	Flash10ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	Flash10ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"	Flash10ActiveX.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2848	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe
2404	flash10plus.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
876	Flash10ActiveX.exe
2404	flash10plus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2664	2524	d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2664	2524	d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2664	2524	d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2664	2524	d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 2404	2664	cmd.exe	32
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 876	2664	cmd.exe	33
PID 2664 wrote to memory of 1112	2664	cmd.exe	34
PID 2664 wrote to memory of 1112	2664	cmd.exe	34
PID 2664 wrote to memory of 1112	2664	cmd.exe	34
PID 2664 wrote to memory of 1112	2664	cmd.exe	34
PID 1112 wrote to memory of 2736	1112	winnt32.exe	35
PID 1112 wrote to memory of 2736	1112	winnt32.exe	35
PID 1112 wrote to memory of 2736	1112	winnt32.exe	35
PID 1112 wrote to memory of 2736	1112	winnt32.exe	35
PID 2736 wrote to memory of 2848	2736	cmd.exe	37
PID 2736 wrote to memory of 2848	2736	cmd.exe	37
PID 2736 wrote to memory of 2848	2736	cmd.exe	37
PID 2736 wrote to memory of 2848	2736	cmd.exe	37
PID 2736 wrote to memory of 2444	2736	cmd.exe	38
PID 2736 wrote to memory of 2444	2736	cmd.exe	38
PID 2736 wrote to memory of 2444	2736	cmd.exe	38
PID 2736 wrote to memory of 2444	2736	cmd.exe	38
PID 2736 wrote to memory of 2072	2736	cmd.exe	39
PID 2736 wrote to memory of 2072	2736	cmd.exe	39
PID 2736 wrote to memory of 2072	2736	cmd.exe	39
PID 2736 wrote to memory of 2072	2736	cmd.exe	39
PID 2736 wrote to memory of 2956	2736	cmd.exe	40
PID 2736 wrote to memory of 2956	2736	cmd.exe	40
PID 2736 wrote to memory of 2956	2736	cmd.exe	40
PID 2736 wrote to memory of 2956	2736	cmd.exe	40
PID 2736 wrote to memory of 1720	2736	cmd.exe	41
PID 2736 wrote to memory of 1720	2736	cmd.exe	41
PID 2736 wrote to memory of 1720	2736	cmd.exe	41
PID 2736 wrote to memory of 1720	2736	cmd.exe	41
PID 2736 wrote to memory of 1996	2736	cmd.exe	42
PID 2736 wrote to memory of 1996	2736	cmd.exe	42
PID 2736 wrote to memory of 1996	2736	cmd.exe	42
PID 2736 wrote to memory of 1996	2736	cmd.exe	42
PID 2736 wrote to memory of 1688	2736	cmd.exe	43
PID 2736 wrote to memory of 1688	2736	cmd.exe	43
PID 2736 wrote to memory of 1688	2736	cmd.exe	43
PID 2736 wrote to memory of 1688	2736	cmd.exe	43
PID 2736 wrote to memory of 3040	2736	cmd.exe	44
PID 2736 wrote to memory of 3040	2736	cmd.exe	44
PID 2736 wrote to memory of 3040	2736	cmd.exe	44
PID 2736 wrote to memory of 3040	2736	cmd.exe	44
PID 2736 wrote to memory of 912	2736	cmd.exe	45
PID 2736 wrote to memory of 912	2736	cmd.exe	45
PID 2736 wrote to memory of 912	2736	cmd.exe	45
PID 2736 wrote to memory of 912	2736	cmd.exe	45
PID 2736 wrote to memory of 1488	2736	cmd.exe	46
PID 2736 wrote to memory of 1488	2736	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1881d54c95a0f93575ed136dcf7b611_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zFLASH.bat""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\flash10plus.exe
    step$rewer2\flash10plus.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\Flash10ActiveX.exe
    step$rewer2\Flash10ActiveX.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\winnt32.exe
    step$rewer2\winnt32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\winnt32.bat""
      4⤵
      Drops file in Drivers directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 biso.cn
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
    - - C:\Windows\SysWOW64\at.exe
        
        at /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
    - - C:\Windows\SysWOW64\at.exe
        
        AT 11:50 /every:TH,Su C:\Windows\pat32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Windows\SysWOW64\at.exe
        
        AT 22:50 /every:T,Sa C:\Windows\pat32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /va /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safetray /d """"C:\Windows\SYSTEM32\win32.exe"""" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v internat /d """"C:\Windows\SYSTEM32\WinUpdate.exe"""" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safe /d """"C:\Windows\repair\internat.exe"""" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google ╦╤╦≈" /v "" /d "http://www.biso.cn/js/menu.asp?menu=search" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:912
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■" /v "" /d "http://www.biso.cn/js/menu.asp?menu=soft" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1488
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╣╚╕Φ╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1128
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2192
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2940
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2564
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2568
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╣╚╕Φ╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=2" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╣╚╕Φ╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:356
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╣╚╕Φ╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flash10ActiveX.exe

Filesize
1.9MB

MD5
651328afc874d1035d6a1d1151367c7a

SHA1
11a81ad1b19344c28b1e1249169f15dfbd2a04f5

SHA256
e11debefe07c92ac5e4ebf24ad72146d93923c8264f84f8ff0c89fe8860822e5

SHA512
3e0cf509842ef447dcd6c90662333d647b929c3db04453d4433e1b3a30a5bd5189895e8c96dfdf816462fe305a0883219243d566aaf3d920d3e982fc751033dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeA979.tmp

Filesize
7KB

MD5
ed4f6fb0e44ea188f60a96241170e2d9

SHA1
191f16992ec3133e569b860ff3861b72f3514f5b

SHA256
c89910799f143fe111b3b5baa088b7b9d140a25a5b42768fc4a74c7761a003d7

SHA512
529df12b62e9633f0db9d3f11899e92e0447806012bd472d35b3f3e362537c3ca7203746b4b9d4397e06fbef4dcb08ffdd30154972a59fc89fa31de730ed048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\flash10plus.exe

Filesize
1.8MB

MD5
16c6b4b8326a63a99f4250c7585bba7c

SHA1
9590fb87cc33d3a3a1f2f42a1918f06b9f0fd88d

SHA256
b96ef1a61d016ac0d75aad132fa9add33f77cf3ebc3e10e8534fdf74fd8e5d6f

SHA512
fcab482145f0e32e939427961448353a3f1ff38de34002a59eae80925b06759569fc8de81a86bc9af44ac63835d626098a89baa9d7881bd84f2441f5ae12a5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnt32.bat

Filesize
5KB

MD5
1a496f6a7349e8407c0bbae611736d74

SHA1
e0e4d6befff2539a5e946be85c660068c87eeed7

SHA256
f1c076535865073b5c8c6cf5a964a3ff0077717e9fda74d84909fbb72c741b06

SHA512
98c5053fb91cb178abfeaa82001b278e2ed53b4bceec967d75e66049cbec7dfcc6589ee75d01ac6509e1d47dd4ea23a15eb6a3cbb2ccc1c85e45ba7aa3967d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnt32.exe

Filesize
24KB

MD5
21d3f0f218318810192e84fad7692233

SHA1
632cc2dbf2fda2b066a8fc7da9812d3826948752

SHA256
5d3df5ad418e44774bfc3cb9f0e7dade631798c2d5c48d44b404e0ef8bff760a

SHA512
12c7f7787b53c176014bd1194dfb97df8acfb5ce1c9be6fd13365a68220c6c9d12ec938b1968fa0c7eb072c999a376ff90c8b9a1be0e13fc5d44f1c8b4c1458f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFLASH.bat

Filesize
644B

MD5
588906d5f4360892d67fa1426126c4b3

SHA1
74f346c4bc1d3566b630ee06271c55ac36edc046

SHA256
e1854020419d163e7eaf72c79518b81a66cfffe0feb79dd64573c97790d1d3fc

SHA512
e38167d037dce8e47f6d6bdbb664b6e4e0f0ab2f4c740e0f2f439fbc1d94c65242e99b2a648ad9ae102a89741ee0afa51dc04acca481cd86a86231f62225574e

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\install.log

Filesize
817B

MD5
9a4f63c04346f2efe7113d9d56968bcd

SHA1
9d397448cbdeb96fe8bc9851d2e54a258b95cde6

SHA256
c47f45db68718e8ff9d127edd1429d771300d7486dffe69f2652b223ade00a68

SHA512
862ce70bf91381f725cfacc43db37e5dd7a65888b3c37cdc8e9fce86fd2dcf3382125b3a38a49e34ad647e1a4b2c5dba45a83f4e56ca7fc5929fc5b668622472

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA9A9.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA9A9.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA92D.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA92D.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA92D.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash10c.ocx

Filesize
3.8MB

MD5
43c6acdfb92a18c3e516e6bd5f1acd51

SHA1
da52ab3e629720adf6c6a3a8f4d47d777a2425a7

SHA256
e87aec8f4fd23c6e2be44b504804e011154b80dcde5cbf9888d4660b0436a889

SHA512
58b86d2609b81fee47bfe956b1e62d9a5b959736af41a8ad568121d9b60926fc142c79190a8e234fa3c8724e61e04147d6b9ca4fdee57ef6f4579f15b2951722

Download Submit
memory/1112-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-30-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download