ardamax | deb3c96f35d1086acc57bec87f55102b06f5bea1e99addb9f57a37d3360b9487

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
Size

1.0MB
MD5

e4dcae88f6d374adf13a9af6e11aea7e
SHA1

f5c1921bc03b295025ee2cb793e14991c5c51026
SHA256

deb3c96f35d1086acc57bec87f55102b06f5bea1e99addb9f57a37d3360b9487
SHA512

47bb220fb25052d5a3c51dce5aec29771efac32d4b59028824fb6d85a4fa0504bd8029437133101571ed5e9a5e6f2d1db1202d53bf9b2bb88c93436686ec7ee4
SSDEEP

24576:1LcIAe9NR0OPCwkiquic2aNJCKH0GKcK5J7o:GIFF034qLy3znKh5K

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001941f-57.dat	family_ardamax

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}\stubpath = "C:\\Windows\\userinit.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}\stubpath = "C:\\Windows\\userinit.exe"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000004ed7-299.dat	acprotect

Executes dropped EXE 10 IoCs

pid	Process
2412	Patch.exe
2196	Install.exe
2364	server.exe
2764	userinit.exe
2824	FMJA.exe
1724	inst_server.exe
2828	rinst.exe
2784	server.exe
1732	svchots.exe
1616	userinit.exe

Loads dropped DLL 46 IoCs

pid	Process
1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
2196	Install.exe
2196	Install.exe
2196	Install.exe
2196	Install.exe
1724	inst_server.exe
1724	inst_server.exe
1724	inst_server.exe
2824	FMJA.exe
2824	FMJA.exe
2824	FMJA.exe
2824	FMJA.exe
1724	inst_server.exe
2824	FMJA.exe
1724	inst_server.exe
1724	inst_server.exe
1724	inst_server.exe
2828	rinst.exe
2828	rinst.exe
2828	rinst.exe
2828	rinst.exe
2828	rinst.exe
2828	rinst.exe
2828	rinst.exe
2784	server.exe
2784	server.exe
2784	server.exe
2828	rinst.exe
2828	rinst.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
2824	FMJA.exe
1724	inst_server.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe
2064	svchost.exe
2064	svchost.exe
2064	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000175ed-18.dat	upx
behavioral1/memory/2364-46-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2784-154-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2784-150-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1616-149-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2364-84-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2764-49-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1616-163-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2764-330-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1616-462-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FMJA Agent = "C:\\Windows\\SysWOW64\\YOF\\FMJA.exe"	FMJA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchots = "C:\\Windows\\SysWOW64\\svchots.exe"	svchots.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YOF\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\svchots.exe	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File opened for modification	C:\Windows\SysWOW64\YOF	FMJA.exe
File created	C:\Windows\SysWOW64\svchotshk.dll	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	svchots.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.001	Install.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.006	Install.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.007	Install.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.exe	Install.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.dll	userinit.exe
File created	C:\Windows\userinit.exe	server.exe
File opened for modification	C:\Windows\userinit.exe	userinit.exe
File opened for modification	C:\Windows\userinit.exe	server.exe
File created	C:\Windows\Install.exe	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
File created	C:\Windows\msklm.bat	server.exe
File created	C:\Windows\msklm.bat	server.exe
File created	C:\Windows\userinit.dll	userinit.exe
File opened for modification	C:\Windows\auiwp.kfs	svchost.exe
File opened for modification	C:\Windows\userinit.exe	server.exe
File created	C:\Windows\userinit.exe	server.exe
File created	C:\Windows\userinit.dll	userinit.exe
File opened for modification	C:\Windows\auiwp.kfs	svchost.exe
File opened for modification	C:\Windows\userinit.exe	userinit.exe
File opened for modification	C:\Windows\userinit.dll	userinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMJA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst_server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchots.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2828	rinst.exe
2828	rinst.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
900	svchost.exe
2064	svchost.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1732	svchots.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2364	server.exe
Token: SeSecurityPrivilege	2364	server.exe
Token: SeTakeOwnershipPrivilege	2364	server.exe
Token: SeLoadDriverPrivilege	2364	server.exe
Token: SeSystemProfilePrivilege	2364	server.exe
Token: SeSystemtimePrivilege	2364	server.exe
Token: SeProfSingleProcessPrivilege	2364	server.exe
Token: SeIncBasePriorityPrivilege	2364	server.exe
Token: SeCreatePagefilePrivilege	2364	server.exe
Token: SeBackupPrivilege	2364	server.exe
Token: SeRestorePrivilege	2364	server.exe
Token: SeShutdownPrivilege	2364	server.exe
Token: SeDebugPrivilege	2364	server.exe
Token: SeSystemEnvironmentPrivilege	2364	server.exe
Token: SeRemoteShutdownPrivilege	2364	server.exe
Token: SeUndockPrivilege	2364	server.exe
Token: SeManageVolumePrivilege	2364	server.exe
Token: 33	2364	server.exe
Token: 34	2364	server.exe
Token: 35	2364	server.exe
Token: SeIncreaseQuotaPrivilege	2764	userinit.exe
Token: SeSecurityPrivilege	2764	userinit.exe
Token: SeTakeOwnershipPrivilege	2764	userinit.exe
Token: SeLoadDriverPrivilege	2764	userinit.exe
Token: SeSystemProfilePrivilege	2764	userinit.exe
Token: SeSystemtimePrivilege	2764	userinit.exe
Token: SeProfSingleProcessPrivilege	2764	userinit.exe
Token: SeIncBasePriorityPrivilege	2764	userinit.exe
Token: SeCreatePagefilePrivilege	2764	userinit.exe
Token: SeBackupPrivilege	2764	userinit.exe
Token: SeRestorePrivilege	2764	userinit.exe
Token: SeShutdownPrivilege	2764	userinit.exe
Token: SeDebugPrivilege	2764	userinit.exe
Token: SeSystemEnvironmentPrivilege	2764	userinit.exe
Token: SeRemoteShutdownPrivilege	2764	userinit.exe
Token: SeUndockPrivilege	2764	userinit.exe
Token: SeManageVolumePrivilege	2764	userinit.exe
Token: 33	2764	userinit.exe
Token: 34	2764	userinit.exe
Token: 35	2764	userinit.exe
Token: 33	2824	FMJA.exe
Token: SeIncBasePriorityPrivilege	2824	FMJA.exe
Token: SeIncreaseQuotaPrivilege	2784	server.exe
Token: SeSecurityPrivilege	2784	server.exe
Token: SeTakeOwnershipPrivilege	2784	server.exe
Token: SeLoadDriverPrivilege	2784	server.exe
Token: SeSystemProfilePrivilege	2784	server.exe
Token: SeSystemtimePrivilege	2784	server.exe
Token: SeProfSingleProcessPrivilege	2784	server.exe
Token: SeIncBasePriorityPrivilege	2784	server.exe
Token: SeCreatePagefilePrivilege	2784	server.exe
Token: SeBackupPrivilege	2784	server.exe
Token: SeRestorePrivilege	2784	server.exe
Token: SeShutdownPrivilege	2784	server.exe
Token: SeDebugPrivilege	2784	server.exe
Token: SeSystemEnvironmentPrivilege	2784	server.exe
Token: SeRemoteShutdownPrivilege	2784	server.exe
Token: SeUndockPrivilege	2784	server.exe
Token: SeManageVolumePrivilege	2784	server.exe
Token: 33	2784	server.exe
Token: 34	2784	server.exe
Token: 35	2784	server.exe
Token: SeIncreaseQuotaPrivilege	1616	userinit.exe
Token: SeSecurityPrivilege	1616	userinit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1732	svchots.exe
1732	svchots.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2824	FMJA.exe
2824	FMJA.exe
2824	FMJA.exe
2824	FMJA.exe
2824	FMJA.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe
1732	svchots.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2412	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2412	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2412	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2412	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2196	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	31
PID 1196 wrote to memory of 2364	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	32
PID 1196 wrote to memory of 2364	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	32
PID 1196 wrote to memory of 2364	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	32
PID 1196 wrote to memory of 2364	1196	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	32
PID 2364 wrote to memory of 2764	2364	server.exe	33
PID 2364 wrote to memory of 2764	2364	server.exe	33
PID 2364 wrote to memory of 2764	2364	server.exe	33
PID 2364 wrote to memory of 2764	2364	server.exe	33
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 2824	2196	Install.exe	34
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2196 wrote to memory of 1724	2196	Install.exe	35
PID 2364 wrote to memory of 2880	2364	server.exe	36
PID 2364 wrote to memory of 2880	2364	server.exe	36
PID 2364 wrote to memory of 2880	2364	server.exe	36
PID 2364 wrote to memory of 2880	2364	server.exe	36
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 1724 wrote to memory of 2828	1724	inst_server.exe	38
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2828 wrote to memory of 2784	2828	rinst.exe	39
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2784 wrote to memory of 1616	2784	server.exe	40
PID 2828 wrote to memory of 1732	2828	rinst.exe	41
PID 2828 wrote to memory of 1732	2828	rinst.exe	41
PID 2828 wrote to memory of 1732	2828	rinst.exe	41
PID 2828 wrote to memory of 1732	2828	rinst.exe	41
PID 2828 wrote to memory of 1732	2828	rinst.exe	41
PID 2828 wrote to memory of 1732	2828	rinst.exe	41

C:\Users\Admin\AppData\Local\Temp\e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Patch.exe
  "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Install.exe
  "C:\Windows\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\YOF\FMJA.exe
    "C:\Windows\system32\YOF\FMJA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\inst_server.exe
    "C:\Users\Admin\AppData\Local\Temp\inst_server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\userinit.exe
        
        C:\Windows\userinit.exe c
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2064
    - - C:\Windows\SysWOW64\svchots.exe
        
        C:\Windows\system32\svchots.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1732
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\userinit.exe
    C:\Windows\userinit.exe c
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\msklm.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
c363636be734a8e6b81c677a43e25f85

SHA1
1103c7de9e96847abeacc2bade802e9420153a86

SHA256
c9e577f71b090bf5c400bb7161442ce61fd4feaa993fce90ba57e6410e16e0c3

SHA512
aae9d484e55355af205c20f0ec367b7b15f1c438b6ac6b23eea9b641e09ae4f12049666abc4e44912030203e0ef4ff8703620e7433a9b85f6832a109defe2191

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
de4b1aa8153f7625d9d9ce970e2aa9e4

SHA1
5a95d08b9f566f0667f7d134c13ce49eb1e960f3

SHA256
032ee64576aa2b7af69f17cb908f72887377a9b6c4e816a2567e8dad359ed9fc

SHA512
f4c80a6071b20c139447469fd1f14381c1141016c0c407e385fcf3c752d031563c2d638fc14a2f61c1aa993c4c801d7e553878f75e3112939b99bf455508f9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchots.exe

Filesize
408KB

MD5
d34b4414ff28537909ae2da1e5c2484b

SHA1
6f510d70867d6c9743ea89ae2ae7363532bac2d8

SHA256
c607f59088d96111e1392d0af7a1adbda9ba175edc35fed19fb0722fa89c9442

SHA512
139c0daf7062762ef1dcf04532e0033d57b3f544353c6259925668d26341984ffb73dd1ca9c3ad593209e3b76edfc8256d29f9121cc52a3a4473eb52657db4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchotshk.dll

Filesize
21KB

MD5
31c7a09e3bf89c7ee0ebddad02a18996

SHA1
59fd23970715489ffe328f3856069d462c7f4b50

SHA256
b6305995ca0ddb381d0d954d51ea28bb44a91b0021376298958ac2f25f75261d

SHA512
a45adb99bb1dfa8a834435ed093216a49a7b72b64a5d5a86b221c8818634c292e4d1e22839b3ce158f2ddf8d123c9f2d43542078d4e00211c4fcc9f5ce406420

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst_server.exe

Filesize
371KB

MD5
2c7e89505ea8bcffcc601d35bbae583e

SHA1
bdbbd3a274bde9aa4bb995a3e618890c5ba05953

SHA256
899fa4e91717407e3737c9c0853d38199f0b1a04c6c3401a8a5c42bfb7665eac

SHA512
dc10e2ba0d6db1c77313190f53106d2dd9f907e710973ba4a4b71be63dba2fbd0c5fa15887baf4f665133d9d52bb4892312d2ce5f35a66a98a7143ea6dc732f3

Download Submit
C:\Windows\Install.exe

Filesize
837KB

MD5
79b40035a61c124306673bf5695cf639

SHA1
91170fdad77be0c1af25c9d8cc76def138b9fc85

SHA256
2ff301091220da41799a5e84d2b49dee9ac177eb240ab7110526a65aa0ae9999

SHA512
2a93c9fce6d0c7760beec795ca60b7047411b498d47eb1d794bf969744c9a525e3d7352432342d8a4ccfcf3c2cc70dc369270ecc39747fcd5843d7ebf9886c4e

Download Submit
C:\Windows\SysWOW64\YOF\AKV.exe

Filesize
416KB

MD5
753eed6ba7bca7e1b625d352a5230f6d

SHA1
db4bf56b23cbbd41d7f95d5f06ea8b062ba4b3cd

SHA256
68d90fb1c165caa1c6c04d1dd9a29e81a83d52952d608c17284b7215aafcb859

SHA512
abf78a8018039cfc5e7dd6ec4f71bfa58ff16f15e8758a9ed04c026c941cef6da14ac057d955778a4190f1116b42088aef9c87634f94d5014db6a5401d64fc60

Download Submit
C:\Windows\SysWOW64\YOF\FMJA.001

Filesize
592B

MD5
c293a1b727fcd9bb1d7bf01188264818

SHA1
cbbe1e562f05cbb268f7ea133101e039a4b8b1ce

SHA256
1516b4f8e1451410bc2ddd71a9c52ccd09b2b3245b280e4538769ed88e53cd80

SHA512
06694c5a9c5d7d315145b71f53953b98503792f28be7e56a41561c5f791711ddc9382ab8a0739677c04f091b047469169221a97659f9f886a9991d4197bdf880

Download Submit
C:\Windows\SysWOW64\YOF\FMJA.exe

Filesize
540KB

MD5
3fcec6436ceefe496759d5d95a72946d

SHA1
90741b60963323ccff6aacc4f9a4e947967f3c65

SHA256
e9f4f9a93da9c4977f330450aa485665789b5f0d422ede2e67237c64eb975434

SHA512
44c675bc06b036c64f364db3198db29a8affce246006f8d51cd8de45c131de575ded4d5e1aefeeccd8c82d52529a3b312379ea524b7e49d662249a61c71aab06

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Windows\SysWOW64\svchots.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\msklm.bat

Filesize
128B

MD5
6767851b21a3718b2eb1538372657f62

SHA1
798cf2e3438da237ed516f165dfcf397097da4e9

SHA256
44478783a4588666ba9483a4866a8de674b62dbf819e8d233a74ea8e57ef16e0

SHA512
34328e4692a662b5aa738e8a271a842f21846cc6284783e94e372d426b4c78b279f3c461bc9b3864381ad132b324631730b15775fa2521dc8e80d2b584cc587f

Download Submit
C:\Windows\userinit.dll

Filesize
86KB

MD5
a09140f561a314c3495d72c3cabd1e8e

SHA1
83062ea280438543a1408830fff5ff6f4a79b7d9

SHA256
8acba5512a804ed88d29eaa4ea11ba6c3cadf8e89abe6aaa3dfcbce3ef13d164

SHA512
ae4ee71ef81bdf79a0fe08a7f9d9b13b60c28132a49ab2cd593db59456e1c438876c9a1131950957bc4dade9c59964f11b0588735972a8148f582507f18bc877

Download Submit
\Users\Admin\AppData\Local\Temp\@A2B5.tmp

Filesize
4KB

MD5
0850d0451f7b387627be1d8448d4e8cc

SHA1
f7f346dbb9399a5f3c1e783c66bc82b7110d6f32

SHA256
d0f4b9b1c98c68a583e99af328f25220072bf99350407f4d8168cc15714ed9e1

SHA512
bb403196ff80b8971486d4a71246de4d4e4b1bbea4505940574ce2d375bc1d55a5ba7606bba9d4b726ad3ef3fe89a1ed377d6d984f2f08fa1f938694fb2f6535

Download Submit
\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
54KB

MD5
471d59c822d102d40f202b70a5c4a88a

SHA1
2f1d83a7dd442ed8b2c843725507e1fa4055c3eb

SHA256
1f2ec34e911c574f36f0093127c05454e5ccba538d7227f59784c3ec5a60bbda

SHA512
249b82ef70258adbce12ee74b1155af9e468cad8c0b2f414bb2bbeefc0bf6c3261a7e11229e53f54bf091f84344780aa5df41c2dc89a926dc991a194c904cbb6

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
107KB

MD5
afee591f51f907351fb48c1f16923c19

SHA1
8ced3c24f618646039642b9621c9dea88d3fe4c0

SHA256
6ab5b7503f8286885fe8697c8ca316c31bebfcfb94e43bb3e7a61e08817c383a

SHA512
eff8dd8ce91af7c660f33a1d129f4022362691716b872be12def5341b0ae0622078d0d7dd7371dce87c4acaa4f98ecd0b311ff4a51af6c85bedb922e95ca66a2

Download Submit
\Windows\SysWOW64\YOF\FMJA.006

Filesize
8KB

MD5
1acf05c81017fb2a272d9c10caeb67f9

SHA1
e782df7f04a0146cec392f2200379fc42a4a74ad

SHA256
fa5e1d9a2240a678a99a0a11b1d49d6c692bc3ef24a0a1f2cc8f85c1d4e5a894

SHA512
c64e5b9c43af483c551b2fd4e143517c79cdef5b4144258f8964695dae3d0e3689194f0be5500369b19d666d0a08b46e15662bc8f1c51e314eee8af54cccb1c3

Download Submit
\Windows\SysWOW64\YOF\FMJA.007

Filesize
5KB

MD5
1f154a8e3d92b44b66de52ea426c772d

SHA1
5cca6e4b88dafa2caae56ad98df6ca4bdabbd92f

SHA256
6e08d5b0986bd2f6a9f7a981a6d951b9e6b71616ec894a9a3b40a0c12ceb3b95

SHA512
06501a567500a05082d03818d33d49f3bf7afcdd5ea6e68ed37f09ed4fe6a945f2e86ce418a86a98d42d436d4b76ffaef2434642c8f2fb24f2f445797e5e8c55

Download Submit
memory/900-193-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/900-184-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/900-178-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1616-462-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1616-149-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1616-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-160-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-48-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/2364-84-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-47-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/2364-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2412-50-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-14-0x000007FEF591E000-0x000007FEF591F000-memory.dmp

Filesize
4KB

Download
memory/2412-45-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-158-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-159-0x000007FEF591E000-0x000007FEF591F000-memory.dmp

Filesize
4KB

Download
memory/2764-177-0x0000000010410000-0x000000001044C000-memory.dmp

Filesize
240KB

Download
memory/2764-49-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2764-330-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2784-152-0x0000000000390000-0x00000000003C9000-memory.dmp

Filesize
228KB

Download
memory/2784-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2784-151-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2784-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-161-0x0000000002A40000-0x0000000002A79000-memory.dmp

Filesize
228KB

Download
memory/2828-148-0x0000000002A40000-0x0000000002A79000-memory.dmp

Filesize
228KB

Download