8b14fd7fd075604e95837754cd7111494433edb739b1df69af0cf3b7e4c451c6

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
Size

262KB
MD5

edc2bfd48c5ae0cf93fa992ef6f2e8fa
SHA1

7e141a91d410aaf3999072222fa97e6b26ec51cc
SHA256

8b14fd7fd075604e95837754cd7111494433edb739b1df69af0cf3b7e4c451c6
SHA512

5b0b138719afcf6edb4013801a1aad31c4363acb065794315b0ca571035d2a75272fcf4742a89ce7cfefbb999562ca621beee6a19b7d1482fd8077dce029d558
SSDEEP

6144:OuFUFZmDNcjypnMtiQPP26p7hSnzh1FiPIVN6J0CInx8SmoS:9UF8ejyRMtiQPP24Kzh1E4Nu0R8SmoS

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Firefox.exe"	reg.exe

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Firefox.exe = "C:\\Program Files (x86)\\Firefox.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-easy-nosttings.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-easy-nosttings.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2604	Firefox.exe
2660	Firefox.exe
2864	Firefox.exe

Loads dropped DLL 6 IoCs

pid	Process
2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
2604	Firefox.exe
2604	Firefox.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2260-0-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral1/files/0x0008000000019218-81.dat	upx
behavioral1/memory/2260-84-0x0000000003840000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2604-98-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral1/memory/2260-97-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral1/memory/2660-105-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-108-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-103-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2864-115-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2864-114-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2864-111-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2604-119-0x0000000000400000-0x00000000005CE000-memory.dmp	upx
behavioral1/memory/2864-116-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2660-123-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2864-125-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2660-126-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-129-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-131-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-133-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-136-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-140-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-145-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2660-150-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Program Files (x86)\\Firefox.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Program Files (x86)\\Firefox.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Firefox.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 2660	2604	Firefox.exe	44
PID 2604 set thread context of 2864	2604	Firefox.exe	45

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Firefox.txt	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Firefox.txt	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Firefox.exe	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Firefox.exe	Firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
572	reg.exe
1964	reg.exe
3044	reg.exe
2328	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2660	Firefox.exe
Token: SeCreateTokenPrivilege	2660	Firefox.exe
Token: SeAssignPrimaryTokenPrivilege	2660	Firefox.exe
Token: SeLockMemoryPrivilege	2660	Firefox.exe
Token: SeIncreaseQuotaPrivilege	2660	Firefox.exe
Token: SeMachineAccountPrivilege	2660	Firefox.exe
Token: SeTcbPrivilege	2660	Firefox.exe
Token: SeSecurityPrivilege	2660	Firefox.exe
Token: SeTakeOwnershipPrivilege	2660	Firefox.exe
Token: SeLoadDriverPrivilege	2660	Firefox.exe
Token: SeSystemProfilePrivilege	2660	Firefox.exe
Token: SeSystemtimePrivilege	2660	Firefox.exe
Token: SeProfSingleProcessPrivilege	2660	Firefox.exe
Token: SeIncBasePriorityPrivilege	2660	Firefox.exe
Token: SeCreatePagefilePrivilege	2660	Firefox.exe
Token: SeCreatePermanentPrivilege	2660	Firefox.exe
Token: SeBackupPrivilege	2660	Firefox.exe
Token: SeRestorePrivilege	2660	Firefox.exe
Token: SeShutdownPrivilege	2660	Firefox.exe
Token: SeDebugPrivilege	2660	Firefox.exe
Token: SeAuditPrivilege	2660	Firefox.exe
Token: SeSystemEnvironmentPrivilege	2660	Firefox.exe
Token: SeChangeNotifyPrivilege	2660	Firefox.exe
Token: SeRemoteShutdownPrivilege	2660	Firefox.exe
Token: SeUndockPrivilege	2660	Firefox.exe
Token: SeSyncAgentPrivilege	2660	Firefox.exe
Token: SeEnableDelegationPrivilege	2660	Firefox.exe
Token: SeManageVolumePrivilege	2660	Firefox.exe
Token: SeImpersonatePrivilege	2660	Firefox.exe
Token: SeCreateGlobalPrivilege	2660	Firefox.exe
Token: 31	2660	Firefox.exe
Token: 32	2660	Firefox.exe
Token: 33	2660	Firefox.exe
Token: 34	2660	Firefox.exe
Token: 35	2660	Firefox.exe
Token: SeDebugPrivilege	2864	Firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
2604	Firefox.exe
2660	Firefox.exe
2660	Firefox.exe
2864	Firefox.exe
2660	Firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2496	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2496	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2496	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2496	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	30
PID 2496 wrote to memory of 1624	2496	cmd.exe	32
PID 2496 wrote to memory of 1624	2496	cmd.exe	32
PID 2496 wrote to memory of 1624	2496	cmd.exe	32
PID 2496 wrote to memory of 1624	2496	cmd.exe	32
PID 2496 wrote to memory of 2788	2496	cmd.exe	33
PID 2496 wrote to memory of 2788	2496	cmd.exe	33
PID 2496 wrote to memory of 2788	2496	cmd.exe	33
PID 2496 wrote to memory of 2788	2496	cmd.exe	33
PID 2260 wrote to memory of 2748	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	34
PID 2260 wrote to memory of 2748	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	34
PID 2260 wrote to memory of 2748	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	34
PID 2260 wrote to memory of 2748	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	34
PID 2748 wrote to memory of 2140	2748	cmd.exe	36
PID 2748 wrote to memory of 2140	2748	cmd.exe	36
PID 2748 wrote to memory of 2140	2748	cmd.exe	36
PID 2748 wrote to memory of 2140	2748	cmd.exe	36
PID 2260 wrote to memory of 2900	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	37
PID 2260 wrote to memory of 2900	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	37
PID 2260 wrote to memory of 2900	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	37
PID 2260 wrote to memory of 2900	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	37
PID 2900 wrote to memory of 600	2900	cmd.exe	39
PID 2900 wrote to memory of 600	2900	cmd.exe	39
PID 2900 wrote to memory of 600	2900	cmd.exe	39
PID 2900 wrote to memory of 600	2900	cmd.exe	39
PID 2260 wrote to memory of 2612	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	40
PID 2260 wrote to memory of 2612	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	40
PID 2260 wrote to memory of 2612	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	40
PID 2260 wrote to memory of 2612	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	40
PID 2612 wrote to memory of 2316	2612	cmd.exe	42
PID 2612 wrote to memory of 2316	2612	cmd.exe	42
PID 2612 wrote to memory of 2316	2612	cmd.exe	42
PID 2612 wrote to memory of 2316	2612	cmd.exe	42
PID 2260 wrote to memory of 2604	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	43
PID 2260 wrote to memory of 2604	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	43
PID 2260 wrote to memory of 2604	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	43
PID 2260 wrote to memory of 2604	2260	edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe	43
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2660	2604	Firefox.exe	44
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2604 wrote to memory of 2864	2604	Firefox.exe	45
PID 2660 wrote to memory of 1288	2660	Firefox.exe	46
PID 2660 wrote to memory of 1288	2660	Firefox.exe	46
PID 2660 wrote to memory of 1288	2660	Firefox.exe	46
PID 2660 wrote to memory of 1288	2660	Firefox.exe	46
PID 2660 wrote to memory of 1004	2660	Firefox.exe	47
PID 2660 wrote to memory of 1004	2660	Firefox.exe	47

C:\Users\Admin\AppData\Local\Temp\edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edc2bfd48c5ae0cf93fa992ef6f2e8fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WXYSEO.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeHXG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Program Files (x86)\Firefox.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqhJZ.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Program Files (x86)\Firefox.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bNrlM.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Firefox.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:2316
- C:\Program Files (x86)\Firefox.exe
  "C:\Program Files (x86)\Firefox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files (x86)\Firefox.exe
    "C:\Program Files (x86)\Firefox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Firefox.exe" /t REG_SZ /d "C:\Program Files (x86)\Firefox.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Firefox.exe" /t REG_SZ /d "C:\Program Files (x86)\Firefox.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-easy-nosttings.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-easy-nosttings.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-easy-nosttings.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-easy-nosttings.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3044
- - C:\Program Files (x86)\Firefox.exe
    "C:\Program Files (x86)\Firefox.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Firefox.exe

Filesize
262KB

MD5
8af0c75f97965a4c88c036abc44275f1

SHA1
e532b648eff44ef96801d40c6167ce1dfa2db201

SHA256
a01691a91978b8af466632f14563a8691927445aa63bd1f0453a4c65946af2ca

SHA512
ff4ebeab5d337df763d5dac05d3cfa4401ffce68199e99e9e32c0ee89b27068b7f4e9ef22b7aa6e6e2cf8d426d72bf52c1642baef7be5262c78870386d4f73a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqhJZ.bat

Filesize
135B

MD5
caf13b6972a1c7cdf69f4328f8d2614c

SHA1
52632bd66a66e5c3992724386a51f6243d03ca9c

SHA256
d607c2f68cadc4892a8b639c0bd7df447671272e162e159a1a595acb644546a6

SHA512
5c7130ef3edfd11c95a472cd77d41933aaa08fa995e8bb3793cc687a7e6721643ed5e900e7793db6207eb365301e0320e3d385a2aae143492453f20288e4733e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXYSEO.bat

Filesize
256B

MD5
7eb60f757274d9ed6717c032649e792f

SHA1
4d5c4393d873beac1146ed339f4b8eae998ad3af

SHA256
68ca300bbd70b8b3dcd3a2b545507e239bb1433225bec850e2e5bb528cf8ba5f

SHA512
11b72166cca51371451dd200df88c699569043a69123b7f4d1187d19f8815ca8a5ca112b7565d51d092a77ba7291054eeed0d51fb4d0b9443458a246e650c980

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNrlM.bat

Filesize
162B

MD5
773508c41df0c7b0062dc3daa57c4557

SHA1
4506962fc5e9d8c9b7634c5e86d09fade7a1a421

SHA256
8758b920a248fa2a4e8fe694e4b27fb8c4127ce98452b411c6ea661adf304536

SHA512
6c47a9f918b7aee4806aefbeacc06e3bcdb753889900cf240cf972e580e0e5fcce0aebc4e52582a887f8e62b4e8565adb392a059502b5d48c92cd102df2418dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeHXG.bat

Filesize
135B

MD5
929dc9eb3bc485bc4af2d54bf1e52ac4

SHA1
f76d94a0b762673e19f19772481e68200904edee

SHA256
e731f11348e8addbb3a07b1ca35ea29c30ff3e6c8be6a7bfc3ef4fffb0e71c6f

SHA512
952c406c42ea2767079cbc8f70a939745743de7ddce5f044b867d71a304d4a2c9d5b25bd83302df8ad34867740b6f78a0afecc9ceee773ac49e576b78408c4e6

Download Submit
memory/2260-84-0x0000000003840000-0x0000000003A0E000-memory.dmp

Filesize
1.8MB

Download
memory/2260-94-0x0000000003840000-0x0000000003A0E000-memory.dmp

Filesize
1.8MB

Download
memory/2260-97-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2260-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2604-119-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2604-98-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2660-129-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-126-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-150-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-145-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-140-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-108-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-136-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-123-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-133-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-103-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-105-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2660-131-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2864-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-111-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads