b1bcd75a0ec9fa857ab7eab472be48c6f29cc20d107b18f944150256a0501dcf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
Size

2.3MB
MD5

ddab1a585536120a68f0d94847061486
SHA1

3776c40f0a741c4b2f0f8593977bdc11d5a6a024
SHA256

b1bcd75a0ec9fa857ab7eab472be48c6f29cc20d107b18f944150256a0501dcf
SHA512

f8c2ec454f4b2977841821f92df6ab027ea7655aac5104a09568c6c5c6ac733698fa28d2c6fcdcb32cb789abb790da121a49daf33f1092d0808b2b37a9149852
SSDEEP

24576:6DoJJJJJJJUmDoJJJJJJJUZlDoJJJJJJJUmDoJJJJJJJUZW96H0Dlz:lUrHgl

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
116	15.#.exe
3600	581.#.exe
3464	866.#.exe
4952	684.#.exe
2784	491.#.exe
4548	630.#.exe
3328	609.#.exe
2460	323.#.exe
5008	177.#.exe
736	402.#.exe
1360	226.#.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	15.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	581.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	609.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	323.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	177.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	402.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	866.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	684.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	491.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	630.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	226.#.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\	581.#.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\	491.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\	630.#.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe$	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	866.#.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	581.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\	581.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\	15.#.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	15.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\	609.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\	581.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\	581.#.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\	15.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\	581.#.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\	581.#.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\	866.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\	581.#.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	323.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\	684.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\	323.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\	581.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\	581.#.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	15.#.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe	15.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\	866.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	581.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\	15.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\	581.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	684.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\	581.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\	581.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\	684.#.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	581.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\	684.#.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	491.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	491.#.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\	323.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\	866.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\	491.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\	866.#.exe
File opened for modification	C:\Program Files\Google\Chrome\	581.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\	323.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\	684.#.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\	581.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\	866.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	866.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\	630.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\	609.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\3082\	866.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\	866.#.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\	684.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\	609.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\	630.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\	866.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\	866.#.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	581.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	684.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	630.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	609.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	866.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	323.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	402.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	226.#.exe

NTFS ADS 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	581.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	866.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	684.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	630.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	177.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	402.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	15.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	491.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	609.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	323.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	226.#.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3172	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
116	15.#.exe
3600	581.#.exe
3464	866.#.exe
4952	684.#.exe
2784	491.#.exe
4548	630.#.exe
3328	609.#.exe
2460	323.#.exe
5008	177.#.exe
736	402.#.exe
1360	226.#.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 116	3172	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe	92
PID 3172 wrote to memory of 116	3172	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe	92
PID 3172 wrote to memory of 116	3172	ddab1a585536120a68f0d94847061486_JaffaCakes118.exe	92
PID 116 wrote to memory of 3600	116	15.#.exe	94
PID 116 wrote to memory of 3600	116	15.#.exe	94
PID 116 wrote to memory of 3600	116	15.#.exe	94
PID 3600 wrote to memory of 3464	3600	581.#.exe	97
PID 3600 wrote to memory of 3464	3600	581.#.exe	97
PID 3600 wrote to memory of 3464	3600	581.#.exe	97
PID 3464 wrote to memory of 4952	3464	866.#.exe	98
PID 3464 wrote to memory of 4952	3464	866.#.exe	98
PID 3464 wrote to memory of 4952	3464	866.#.exe	98
PID 4952 wrote to memory of 2784	4952	684.#.exe	99
PID 4952 wrote to memory of 2784	4952	684.#.exe	99
PID 4952 wrote to memory of 2784	4952	684.#.exe	99
PID 2784 wrote to memory of 4548	2784	491.#.exe	100
PID 2784 wrote to memory of 4548	2784	491.#.exe	100
PID 2784 wrote to memory of 4548	2784	491.#.exe	100
PID 4548 wrote to memory of 3328	4548	630.#.exe	102
PID 4548 wrote to memory of 3328	4548	630.#.exe	102
PID 4548 wrote to memory of 3328	4548	630.#.exe	102
PID 3328 wrote to memory of 2460	3328	609.#.exe	104
PID 3328 wrote to memory of 2460	3328	609.#.exe	104
PID 3328 wrote to memory of 2460	3328	609.#.exe	104
PID 2460 wrote to memory of 5008	2460	323.#.exe	105
PID 2460 wrote to memory of 5008	2460	323.#.exe	105
PID 2460 wrote to memory of 5008	2460	323.#.exe	105
PID 5008 wrote to memory of 736	5008	177.#.exe	106
PID 5008 wrote to memory of 736	5008	177.#.exe	106
PID 5008 wrote to memory of 736	5008	177.#.exe	106
PID 736 wrote to memory of 1360	736	402.#.exe	107
PID 736 wrote to memory of 1360	736	402.#.exe	107
PID 736 wrote to memory of 1360	736	402.#.exe	107

C:\Users\Admin\AppData\Local\Temp\ddab1a585536120a68f0d94847061486_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddab1a585536120a68f0d94847061486_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\15.#.exe
  C:\Users\Admin\AppData\Local\Temp\15.#.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\581.#.exe
    C:\Users\Admin\AppData\Local\Temp\581.#.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\866.#.exe
      C:\Users\Admin\AppData\Local\Temp\866.#.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\684.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\684.#.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Temp\491.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\491.#.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\630.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\630.#.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\609.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\609.#.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\323.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\323.#.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\177.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\177.#.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\402.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\402.#.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\226.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\226.#.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\920.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\920.#.exe
        13⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\314.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\314.#.exe
        14⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\275.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\275.#.exe
        15⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\99.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\99.#.exe
        16⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\837.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\837.#.exe
        17⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\380.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\380.#.exe
        18⤵
        
        PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
2.3MB

MD5
5b65bd09f231a358363fd9b1bf8cf946

SHA1
8683dc0fc1b7de343ae90f1319bdad8ed8aea71b

SHA256
740c0a8e864c60282ece556b83a858a058baba03944e2b311ab847c1bf4410bf

SHA512
a6cfbe85f0bd6c90f54b1845db598c2803b4a1bb6a3df07076f9fb9b3b2585943a646216b62029215b626d8b3a4338bdf80db913c3872c36a3d9ca551ccdccad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\ktab.exe$

Filesize
2.3MB

MD5
905f121efc317f22e27ffb5fe4056b39

SHA1
b4f17d90c39e2e78af30f94dfe8ae2e2fb99ff03

SHA256
5b2d85a78cd3f67dcc45a34fdbdb670617ae28c1ac9ec1c2d1e7804bed54ce74

SHA512
3a5c4c13379af4a389600a2ad1c8c1b69ffa7c97ab222df119be5b3c5fec893ef39b74a999bc5fc29e2b097755fe8eede283bbdf0948c6944448aed98fc76400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$

Filesize
2.3MB

MD5
dd226c6d4780a1c41abb23bce397c82e

SHA1
5334fcab227f73365809fee237915e6991eddf94

SHA256
17f4e097d379a43a0239eaf33b6013b1bf15df34afa0bf37952dea5ed62f7fee

SHA512
e86fe233dd62ed3a692e1f6c150e795bf2bd23601a70826573bf189408467551834b30c119d4b3ea4af97f871e0bd8b55d66a3fd63986f4a19e397438b128b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe$

Filesize
2.3MB

MD5
7f3c41dd008f553f42a50520438b12ac

SHA1
f8d47bb48d3e9bfd439d58fcbb5b50d09e503cb8

SHA256
3904c2c60d7a19ae0c3f56c44f88081353265c4c6d6c6b85205f05de32228374

SHA512
62dd0ee2c72235eceeea97de869b362a0d7feccf441eadfcd7a3d3c80b3fc9fea31b3e39c501aca94c91c9971bb6f9685159713dbeebcb7ea79a996619a00be7

Download Submit
C:\Program Files\Java\jre-1.8\bin\klist.exe$

Filesize
128KB

MD5
0cbeb8c466a44234d4f80deadb1bc78f

SHA1
8077130a4ed39ed2637a86b59d95b8748b84d1f6

SHA256
3e229770bdf37c0ef124e66c62146362b66afa9d77dc91015c679a336f08cf37

SHA512
3086eda53321906b1a2bd37e8f462cfa9eeacfc9da0239049899af68f8fb9b9c2086d98599dd0e4fc40c59df2d46793549d1da260bf90d2ec6c5e315e96a4af6

Download Submit
C:\Program Files\Java\jre-1.8\bin\klist.exe$

Filesize
2.4MB

MD5
b9888c710cc060597e47703869a33e5a

SHA1
3907f39b84a7b822e1048a9f00a2163de1b92b76

SHA256
41334b428742c2f59618031534e27b954f1679e99723c16193d09db7e94567cc

SHA512
3d4fe3086f3d7562409326b0ef173375f44add4a911b17f94dfd2100ba554961057d12b698a72064336b8cf90e1bc788381158c0afbfaa8308f0dd1315ae49fb

Download Submit
C:\Program Files\Java\jre-1.8\bin\klist.exe$

Filesize
3.1MB

MD5
9ab571353ec4ae322e1c1106aefc7361

SHA1
215e8d10d395f994dc6e0c9c6916a56b44b8b178

SHA256
696f6e3ab751eae630e419917d255d4677e2b7afdffb6333a625bc1d168b7720

SHA512
e34d4dc9b19ee0c4464cc78fb71eeedd5608c19aa4f5650acb94bcaaf3d3cc30a3e9970afb7ed1a4c2aaacf87fec30decb2ed92022317d18b27ba0751cf40900

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\helper.exe$

Filesize
2.3MB

MD5
21a5d3f9318204079f7d0cdc8bb9d4da

SHA1
5f31d98a322f55869e3d479ae72148fade1c16bc

SHA256
533c50f12f11249a601c66728d26cdf273d58de64c9e6f2a0ca1f6c3ff0a8eca

SHA512
8d76737dc4ec93a435406a838b82dd69643310e290413030260b1ccea92fe4a14742cb4973c8d850c920083a166b1d945f09f9c278da49af823c9aa5da333f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.#.exe

Filesize
2.3MB

MD5
ddab1a585536120a68f0d94847061486

SHA1
3776c40f0a741c4b2f0f8593977bdc11d5a6a024

SHA256
b1bcd75a0ec9fa857ab7eab472be48c6f29cc20d107b18f944150256a0501dcf

SHA512
f8c2ec454f4b2977841821f92df6ab027ea7655aac5104a09568c6c5c6ac733698fa28d2c6fcdcb32cb789abb790da121a49daf33f1092d0808b2b37a9149852

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads