modiloader | 0bb8e496f29d0eedaa7c4518a5f08de6866a177ba13b09fca092390d4f970cda

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe
Size

74KB
MD5

dff091e8d49824eb69e45d5abd0639d3
SHA1

5cc462098b4ec37eef8835d8c6a43fffbd506e0c
SHA256

0bb8e496f29d0eedaa7c4518a5f08de6866a177ba13b09fca092390d4f970cda
SHA512

1d16d9dbb322eda75ec975f24d6806934262455cecd586b9fc3691e345f3a84e6909cafbf44059cd983e001caaa4594f81abea84c2205c03204be395771f68b8
SSDEEP

1536:h3VuEqJ3J2X6kkkkkkkkCkkkkTkkkkkkkkkkkkkkkkkkk/GwHByFRVwyA0F5kHUN:h3VuE2k6kkkkkkkkCkkkkTkkkkkkkkkJ

Score

10^/10

modiloader ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2336-33-0x0000000000400000-0x0000000000423000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-475-0x0000000000400000-0x0000000000423000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
2880	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
944	DesktopLayer.exe
2964	AdobeART.exe
2968	AdobeARTSrv.exe

Loads dropped DLL 5 IoCs

pid	Process
2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe
2880	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe
2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe
2964	AdobeART.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-2.dat	upx
behavioral1/memory/2880-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/944-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/944-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000700000001956c-22.dat	upx
behavioral1/memory/2968-45-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2968-44-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2964-36-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2336-33-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2336-30-0x0000000000470000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/944-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2964-475-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px454.tmp	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4E1.tmp	AdobeARTSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	AdobeARTSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeART.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeARTSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DB5AD81-727E-11EF-9DFD-D67B43388B6B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432469121"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DC19461-727E-11EF-9DFD-D67B43388B6B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
944	DesktopLayer.exe
944	DesktopLayer.exe
944	DesktopLayer.exe
944	DesktopLayer.exe
2968	AdobeARTSrv.exe
2968	AdobeARTSrv.exe
2968	AdobeARTSrv.exe
2968	AdobeARTSrv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3060	iexplore.exe
2884	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3060	iexplore.exe
3060	iexplore.exe
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2884	iexplore.exe
2884	iexplore.exe
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2880	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2880	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2880	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2880	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	29
PID 2880 wrote to memory of 944	2880	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe	30
PID 2880 wrote to memory of 944	2880	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe	30
PID 2880 wrote to memory of 944	2880	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe	30
PID 2880 wrote to memory of 944	2880	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe	30
PID 2336 wrote to memory of 2964	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2964	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2964	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2964	2336	dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe	31
PID 944 wrote to memory of 3060	944	DesktopLayer.exe	32
PID 944 wrote to memory of 3060	944	DesktopLayer.exe	32
PID 944 wrote to memory of 3060	944	DesktopLayer.exe	32
PID 944 wrote to memory of 3060	944	DesktopLayer.exe	32
PID 2964 wrote to memory of 2968	2964	AdobeART.exe	33
PID 2964 wrote to memory of 2968	2964	AdobeART.exe	33
PID 2964 wrote to memory of 2968	2964	AdobeART.exe	33
PID 2964 wrote to memory of 2968	2964	AdobeART.exe	33
PID 2968 wrote to memory of 2884	2968	AdobeARTSrv.exe	34
PID 2968 wrote to memory of 2884	2968	AdobeARTSrv.exe	34
PID 2968 wrote to memory of 2884	2968	AdobeARTSrv.exe	34
PID 2968 wrote to memory of 2884	2968	AdobeARTSrv.exe	34
PID 3060 wrote to memory of 2668	3060	iexplore.exe	35
PID 3060 wrote to memory of 2668	3060	iexplore.exe	35
PID 3060 wrote to memory of 2668	3060	iexplore.exe	35
PID 3060 wrote to memory of 2668	3060	iexplore.exe	35
PID 2884 wrote to memory of 2508	2884	iexplore.exe	36
PID 2884 wrote to memory of 2508	2884	iexplore.exe	36
PID 2884 wrote to memory of 2508	2884	iexplore.exe	36
PID 2884 wrote to memory of 2508	2884	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2668
- C:\Users\Admin\AppData\Roaming\AdobeART.exe
  "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\AdobeARTSrv.exe
    C:\Users\Admin\AppData\Roaming\AdobeARTSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66425220e1df65e83a88b0c018f57ee4

SHA1
05a56d25f21a995527222d70de93641a5889593b

SHA256
8bf932ca89c2a1fa20386c75add5e107d48e2fb5a8d0efb87fe8a161570df1d3

SHA512
336ad4a9c1c628cd7f3738cfc3aa5c83625a544c194126231288eee2c779084e7c9a4b238c96ec848b56b822d1a4db5e0206421dcdfc108b00b02b3082a4332e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62d30875c085c95dcc719dbb111ef74d

SHA1
7dbba40f8ef0287e2816e2f255f75a59b5426b54

SHA256
09e01c99920a6008d4432fce76f95ac99a4f90f909906673aea503829da24971

SHA512
bf5a5b7f8a3ea9eb1bfc06f9e3dee9fb80a4afded0c445d921b8d54fa94eafedfc0586678dc8aed9024fec39851d348549f9d8d954ec33d8668975500d1334b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df31b6edadf972722426b10621f4e68a

SHA1
c2aab8d466ced16dd26bae7e0ead864d04cda207

SHA256
2d66152cc6c8e349289f722ed3a53dc2bb6735e0069166e5fdd536d6658507e2

SHA512
e1163544d69b5b6bc184f2045452ed7f32a4cfd5c9ad8814573f9aa1004377913ff95abb3b05f9a3c924e6fce2ab7eaf8c174018ef5f54487725a4e820f94958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b726525b111e9d30d6c45762c7495ff1

SHA1
07a79a3a4a944e77d3e9505f42d605c556f28f2d

SHA256
ab45f91b815ed3aa36875e4dae92598ce8de2a27c527ca37ebfd563801477dcf

SHA512
7711cc79a6e86ae7cadc844689c37b80907a0c4592a93b0d5bb23a6a981b9a7f1d8f98da5b5cf9e3dbd625349c221ead586bf6d10519740a8027747354a6af0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87dfb9b2517cadbe444fa4c388c0e7f6

SHA1
2d8318c1a4bdf6bb0e40a41b61079b153fffcf37

SHA256
6c13645fba650e0a674e2b100508445b38f0bde206bbba7f00f10ee34a2181b5

SHA512
be20a6a56667c4910c391e20b0e605b8291f612474f2fd8a725ad24a10b4677361dece57d99e8c7905e0e74c636fd11ca9dc26f89c4c2c54541a581ad6dfd54a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b182888b494263bd79f292e9374cd30

SHA1
8305fb736373eb9b609f8a77363326e5d76b72d8

SHA256
82294873e918a603a08b24bed3890872697ba34f0550119b88b30e016f205ed4

SHA512
4914b71f6d6c2dcde521e5a2d97fa3c8afd58c22e3dba706faa52c26ec2793cc4a735df310eee71f1c031506f83f49c22d3960f758cfee2d395353689a97974a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
052a5db5f52bb0d2bbe96a4a3d53fa0f

SHA1
f7dd2808e1f564061cb13c03354281b66a8ff27e

SHA256
6b68bebe394a3d14bcc33faa9d3796bfdfede41fe95a94c5ab8b6d3599f7526a

SHA512
ee26154d2ace4556127b10dd6bdc9c7d3ac8de317fad7a13da3f4ebed6604ac0e4d9b7c7cc2c109095f354fc36758953bdf9614ca7f4f06b06fa785309b8428a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9f192787cacbd813002b58a5b20942d

SHA1
e069a431cd072791de79db16a5a039ca0f3cad7f

SHA256
fac84101132024adf8cccd7420aa1495e792747cfebe2e9e18eb250a23f41b54

SHA512
700efc3485f8467bb1d7de9972568c303f8aaccb584a5ed4a086340b9684bbf85e8e91a0fad3e91a5d3dc2fff61f97ab1dd2b1c06ab27f7d741b72aba09abcf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ca81fa012bd3fa894ba5b4f49964951

SHA1
a2035fd3be29ecbc50e3335c637dae71e2ffb760

SHA256
46f50dcfba6a5e75f0a7e32989141380b1954e2800ee29db27a699f7ec8d136b

SHA512
9498f7994d0a7e134b223ab0dc1a13e4f1e08a651b867a6ae882885e90caa0a0d4d409c3c3114924cbc37a889cbdc88ad068ad919b9baada35ce0fd1b5ace377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c48fb8892620940f5f65d88a7e9f67

SHA1
8af3c590e6c8df083d047e08983fd91c93114ca8

SHA256
73b915bdd927dbc592dbd1e6e31f364a961144e67b10cbc115ec15d309bb7506

SHA512
5b95acf39ae62537477df65582027c719c2f45d3132a47d45c9e7edee77d5c41edfbe311ab02573560922e169d8fbf59fb8352ebc2764e4a9b8273d8c48beea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a4701201e17cb3f49967ba30e7e65ed

SHA1
97cee9d6cbab2aeef11cf6777867ee3d7485c1c4

SHA256
8671d77a17e5daba7502edbcb4284c8c559e23c8291506578a9a4b3b53e01d6c

SHA512
129c4374c81b2362509fb992d0f75d54387deaf5a9a93b09feb3ab6426bfdfe9063d0778565c7c42a0426e357fde72353fc67c70a29e294b385a48d7200f460a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9779e2f566d65051ca6c46cf41949695

SHA1
abbc9dca63d495b88eefcd9710efe7cc5c4175b3

SHA256
342e6919bb1ebf89d757d62f271bb3bbe298f60849a73ab254fc3680c9fdb803

SHA512
a31896931f9de3945789abf3108a73f1668a7808420ffb905e38c4b34f8807b85a81801393b086e17bc5f5bec01ad82bb3e3a05bc808916c5816e3436eea5214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a7a508d0c92df0107b479b7417f2f17

SHA1
0408f18aad974be6e41809fc2098b831b058173c

SHA256
640a3f06ea55ef29fe7b7475a5f22c7297f2132ded0eb6c4eafc765d4b0a53ee

SHA512
f04dc8b458395cabf127555c8f46b3f0d499ff27627bc24650dd6f705f7ef10c9260a5b0d51272428e4b47fb5aaf6668e10dbc1fdbc0523b97192b89e5100430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0e1794cbf3ed6e83c11273dcd78c33d

SHA1
d6b9e6b8ac90ffc092bc28408cd6ee882a368123

SHA256
459c2893df472c6d33469b134a5179c8ab358fb76e7116fa959eb7cede99ee41

SHA512
cd69e7d1fe258fa87ad535f8e412e52c4fe83df9297a3bb1156b87caffe19f6747fcebeb5bbc89a7f1ce919c63bdf9b8b2fbbb8b4087e6dab511b1db4522dfeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3043034e974f53fe4f74745648bb10a8

SHA1
9afe824dd32c8ae35149c095846dbea83b6970eb

SHA256
71a5a7a41555b210c1fc924ce7de1cfc7a64c9545c54993ff554f77e5c39104b

SHA512
f0ee8e70ff09ca09e9e07eb9dc48402c583383aab5dd7d8bf484f5b3129cde83a90e1837de0a5c2dfd01a09cb7dbbdfc389aa5f49443591e8ccca9bd82e68102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8511d88126722685de95e34f989eb06

SHA1
e4d542e2a740670cae50e04481b07f083f699ec3

SHA256
eb81c5c7b1159006d2f471ba59fe7a7284eee6f935d5db6b786f2ada49c3002d

SHA512
2bcb812eb8c01e7543ed291c18d7111b424371904bc7d1a99c9d2c8743a7ce1be5b86c6a3b56545c8b0cee78272ee9c7c9054204d966b7ca7f90b670ba283c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38673268b6d953c462710d77ab0b587c

SHA1
9b3c0e871460c9e11294e1970edb2044ebcb47c4

SHA256
6b5f5547b424d2c6c5bf59d234c693046a00529a0b1bc57aa6512321e326d62a

SHA512
bb118c673b9be9728e8153d971c8e829de26ee4e04cf5f896a6d6b8c236b955b08cd8c4a9ce7beee3a542538cad6fb2bb6a6c983d8be9bbbf98b5ee037427f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e847a852e5b9cec5e30725e9abbeb062

SHA1
22b8da088647b045f8da9e84e1d52b40dfd774c9

SHA256
7b0805bf4274a979ba07ee8b62914e29377ae499f23842f5a468db9aa95c27fa

SHA512
971a0780d35ecc3809150f805e8038163b71210b04f49da58b5c90d33f9da0dfe959612c3268906cf6a7f6a3684478a94588f9c6e1b82d99a2da6228872e48f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dea9dde9e22b52322d992e9696d801e6

SHA1
d9e91f18280702c94df7a2adee1e68651561e188

SHA256
058bceb3fcb29de49e74122e2bff8af3525b41169feb403a78e09942cdd38510

SHA512
326b8af458f87259c951d0aef2b107ebdf5d412ddcf5ad7c0181afa6a376aced5f3672dc11e50b4317e0c70e007b20b717f0625510f7ba06377b43ec9211bbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DB5AD81-727E-11EF-9DFD-D67B43388B6B}.dat

Filesize
5KB

MD5
638bae1767d833b3dd0762faf2b0162b

SHA1
f8808af538301d89ecd65c244b1e4e089238f9fb

SHA256
e689aedb13748e196a2878dab2ba983961a72ca9f2162dbe3ad7862a92f89049

SHA512
99962e160a9e3d2a56b423673215dc02ce8efec3571446390614e0fd2e16e7bb3e3f00d15e5f0619f60c44a7c76c319ff007af9712a3ade79b24dc4d986e0c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A38.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AB8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\dff091e8d49824eb69e45d5abd0639d3_JaffaCakes118Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe

Filesize
74KB

MD5
dff091e8d49824eb69e45d5abd0639d3

SHA1
5cc462098b4ec37eef8835d8c6a43fffbd506e0c

SHA256
0bb8e496f29d0eedaa7c4518a5f08de6866a177ba13b09fca092390d4f970cda

SHA512
1d16d9dbb322eda75ec975f24d6806934262455cecd586b9fc3691e345f3a84e6909cafbf44059cd983e001caaa4594f81abea84c2205c03204be395771f68b8

Download Submit
memory/944-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/944-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/944-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/944-18-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/944-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2336-30-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2336-31-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2336-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-9-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/2880-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2964-41-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2964-476-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2964-475-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2964-36-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2968-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2968-45-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2968-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download