c66d52bcf29db1ff263f01381f2da1fdb0e582b69227a0f43de6ec251aac47b6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe
Size

1.4MB
MD5

eefde0896c38953d97338c9be9c989c5
SHA1

8f60fb6bb8d8f591d35f646fe8034bb1f25cc5c3
SHA256

c66d52bcf29db1ff263f01381f2da1fdb0e582b69227a0f43de6ec251aac47b6
SHA512

ebed225526cdebbe8a67077090bbf50c97016743d8c992e5797644776423d1fe84464686d2a9a5ea5e570a07eda712fca92e480f38b650a3db1f94225a7ac06b
SSDEEP

24576:4d33RjEptwxaf4mqVlb2mn91c91PzdOUfoZgTVuxk1G9Pyed5iTKXUg5N:G33RjEptwxaf4mW91c91Pfo2TV0k1GZB

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4424	reptile.exe
3476	reptile.exe
4836	Setup.exe
5016	csrss.exe
412	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "csrss.exe"	reptile.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	reptile.exe
File opened for modification	\??\PhysicalDrive0	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 3476	4424	reptile.exe	90
PID 5016 set thread context of 412	5016	csrss.exe	93

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\caps\caps.db-journal	Setup.exe
File created	C:\Program Files (x86)\Common Files\Adobe\backup\caps.db	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup\caps.db	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\caps.db	Setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	reptile.exe
File opened for modification	C:\Windows\csrss.exe	reptile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reptile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reptile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\OLESCRIPT	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\OLESCRIPT	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\CLSID	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\OLESCRIPT	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\CLSID	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\OLESCRIPT	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\CLSID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	reptile.exe
Token: SeDebugPrivilege	5016	csrss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4424	reptile.exe
4836	Setup.exe
5016	csrss.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4424	4880	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe	89
PID 4880 wrote to memory of 4424	4880	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe	89
PID 4880 wrote to memory of 4424	4880	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe	89
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4424 wrote to memory of 3476	4424	reptile.exe	90
PID 4880 wrote to memory of 4836	4880	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe	91
PID 4880 wrote to memory of 4836	4880	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe	91
PID 4880 wrote to memory of 4836	4880	eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe	91
PID 3476 wrote to memory of 5016	3476	reptile.exe	92
PID 3476 wrote to memory of 5016	3476	reptile.exe	92
PID 3476 wrote to memory of 5016	3476	reptile.exe	92
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93
PID 5016 wrote to memory of 412	5016	csrss.exe	93

C:\Users\Admin\AppData\Local\Temp\eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eefde0896c38953d97338c9be9c989c5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\reptile.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\reptile.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\reptile.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\reptile.exe" c:\users\admin\appdata\local\temp\Program.exe?à</¿©
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\csrss.exe
      "C:\Windows\csrss.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\csrss.exe
        
        "C:\Windows\csrss.exe" c:\users\admin\appdata\local\temp\Program.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\caps\caps.db

Filesize
26KB

MD5
8fdf28dfd592f2a2c8846f83f73390dd

SHA1
18be2802d2c76be9ea9a5ff4c086fbbafa4599c3

SHA256
6c9a0169d1afd716897488cca76182efe0fc624b46fb5a41c6e23270d296d829

SHA512
53a8a0867e00d612666885236c391246bacc4fbd2ea0a713ff38cd6c783db00273bbd462cc069875a8b0ea1a59ff4b28d1847d796c8c8e70fec68840016f38f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ahmbed.gz

Filesize
221B

MD5
bd7fb760b4edea502a141c2cebaf8b5a

SHA1
51911674abc60fd23313781093f6e019acf7faae

SHA256
39e8cd1b284fb011630e24e71902bfe77026bf81857d51dedf3b62af59be447d

SHA512
3adaa2ca98d57ea11aef8bdad026bdacb319dd8ca7375d2cbfcdc1b759b7035d6a3e777d32b0bba41af4acdbf79f42e05b138e1a78372bcbf470e42de7792ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

Filesize
2.9MB

MD5
ae591cef7a3ec455f3742041ce6c8b46

SHA1
7b634779c128bf8bb5658166dcdb3dc60b7eca5d

SHA256
cbe0ed650456afa91e9e30689a035ff730751a80da541fe634abcb0c1e383ea4

SHA512
720686d002250bf4e7faa0240025481e4b18811f873ca1492e0bcfda599ad1497bea719d530d98f08c6edb9fccfe448f716aa5cd200664bc29d4a636c08a3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\reptile.exe

Filesize
92KB

MD5
cdb58de65a54f38f3e46c6de55e1a373

SHA1
1bc4f6cedcfc0099dc05afcb92fba8d22ce7389c

SHA256
9411c2ffa962afc5302fb79476f6d2a4f8c75e81cb0d6784b5074d5b172b97f6

SHA512
53ef1b8dd938dd2e90eb937541f4d994cb295057d6eb2665ec7263fd43c0ef84b663ae920e1718c38d0695a7d37eab62a40306d849b2e48bba2d5c436bde3808

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.htm

Filesize
3B

MD5
6057f13c496ecf7fd777ceb9e79ae285

SHA1
7f550a9f4c44173a37664d938f1355f0f92a47a7

SHA256
fa690b82061edfd2852629aeba8a8977b57e40fcb77d1a7a28b26cba62591204

SHA512
0601d109d0d2b0fa9c4484b4a5c94ee5ecc62ccec3bd7d99e972d18994d0e2e42f6d0fcfc41216a5ab72ee7af96d213e1c314abdde40f52731ff24c2bf8f7323

Download Submit
memory/412-66-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-42-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-77-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-76-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-65-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-75-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-67-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-74-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-70-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-71-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-72-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/412-73-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3476-30-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3476-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3476-18-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3476-19-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads