3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Size

298KB
MD5

03ca8f4558571b27bef876d0005663bd
SHA1

08e6dbadc0e38517565127514f66a6d5794bb88d
SHA256

3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22
SHA512

4391181cc2ca0acf4c94d076d614f1c2a770706c710ede7e355bcdd7e07bfc41ad8ae47eb909a2d5ce21bb3698f4bc728413eb3650f79abee7bb25fae4c29716
SSDEEP

6144:CzSY0RcrnbIFMzEOjh64JDZs6z7/WKtuujadWphpVsznR1bYhmbM:uKcrnbIA7dTYKsujaqpkRChmbM

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000018fb0-78.dat	aspack_v212_v242

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pp111.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pp111.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Pnkx.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Version Vector	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.1188.com/?JaffaCakes118"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shellex	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open\command	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.1188.com/?JaffaCakes118"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder\Attributes = "0"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ = "Internet Explorer"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\InprocServer32 = "Apartment"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)\Command	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2928	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2928	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2928	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2928	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2864	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2864	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2864	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2864	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2812	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2812	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2812	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2812	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	31
PID 3060 wrote to memory of 396	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	35
PID 3060 wrote to memory of 396	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	35
PID 3060 wrote to memory of 396	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	35
PID 3060 wrote to memory of 396	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	35
PID 3060 wrote to memory of 2772	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	37
PID 3060 wrote to memory of 2772	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	37
PID 3060 wrote to memory of 2772	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	37
PID 3060 wrote to memory of 2772	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	37
PID 3060 wrote to memory of 884	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	39
PID 3060 wrote to memory of 884	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	39
PID 3060 wrote to memory of 884	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	39
PID 3060 wrote to memory of 884	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	39
PID 3060 wrote to memory of 1152	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	40
PID 3060 wrote to memory of 1152	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	40
PID 3060 wrote to memory of 1152	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	40
PID 3060 wrote to memory of 1152	3060	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	40
PID 2928 wrote to memory of 2520	2928	cmd.exe	43
PID 2928 wrote to memory of 2520	2928	cmd.exe	43
PID 2928 wrote to memory of 2520	2928	cmd.exe	43
PID 2928 wrote to memory of 2520	2928	cmd.exe	43
PID 2812 wrote to memory of 1820	2812	cmd.exe	44
PID 2812 wrote to memory of 1820	2812	cmd.exe	44
PID 2812 wrote to memory of 1820	2812	cmd.exe	44
PID 2812 wrote to memory of 1820	2812	cmd.exe	44
PID 2864 wrote to memory of 2152	2864	cmd.exe	45
PID 2864 wrote to memory of 2152	2864	cmd.exe	45
PID 2864 wrote to memory of 2152	2864	cmd.exe	45
PID 2864 wrote to memory of 2152	2864	cmd.exe	45
PID 2928 wrote to memory of 2424	2928	cmd.exe	46
PID 2928 wrote to memory of 2424	2928	cmd.exe	46
PID 2928 wrote to memory of 2424	2928	cmd.exe	46
PID 2928 wrote to memory of 2424	2928	cmd.exe	46
PID 2812 wrote to memory of 664	2812	cmd.exe	47
PID 2812 wrote to memory of 664	2812	cmd.exe	47
PID 2812 wrote to memory of 664	2812	cmd.exe	47
PID 2812 wrote to memory of 664	2812	cmd.exe	47
PID 396 wrote to memory of 1988	396	cmd.exe	48
PID 396 wrote to memory of 1988	396	cmd.exe	48
PID 396 wrote to memory of 1988	396	cmd.exe	48
PID 396 wrote to memory of 1988	396	cmd.exe	48
PID 396 wrote to memory of 1460	396	cmd.exe	49
PID 396 wrote to memory of 1460	396	cmd.exe	49
PID 396 wrote to memory of 1460	396	cmd.exe	49
PID 396 wrote to memory of 1460	396	cmd.exe	49
PID 2864 wrote to memory of 1764	2864	cmd.exe	50
PID 2864 wrote to memory of 1764	2864	cmd.exe	50
PID 2864 wrote to memory of 1764	2864	cmd.exe	50
PID 2864 wrote to memory of 1764	2864	cmd.exe	50
PID 2772 wrote to memory of 1672	2772	cmd.exe	51
PID 2772 wrote to memory of 1672	2772	cmd.exe	51
PID 2772 wrote to memory of 1672	2772	cmd.exe	51
PID 2772 wrote to memory of 1672	2772	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun7.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun49.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun44.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun41.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun89.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\Launch Internet Explorer Browser.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun39.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\Launch Internet Explorer Browser.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun36.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe

Filesize
787KB

MD5
c8a8321292a459b0a17fb39a782a5c74

SHA1
ef08e68af5b52c468a905a016ddbfb7c5b0a62e6

SHA256
a214e3b654bcb6e6142e101b0e89081d44a3a634afa94dc0a620467335b7beb2

SHA512
e43131e59ad638445d041753b3711a261134b7a557c10a462ed26c8db72c90814e561013b8b57fc64be5f9339eba875e14f48af54f0218735e6733227c264553

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun36.bat

Filesize
191B

MD5
93cafd5778071dcaa715932e5e4f4ee7

SHA1
d300ea5935d62e297e2fb9c85cbb8897332c5263

SHA256
1c7a8faf859640a5ff60af52ab0c12e30dea80ccfd5b761b10616969db152d1a

SHA512
c174cd6dc93f3b948674994bcce771a5ff6bc63560a1e5062464c6cfc6d438391fd8bba34f0460f7897429c8a7d19fc30b6b622c7c2d441f6717211aa9711330

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun39.bat

Filesize
195B

MD5
f5c6f5d14ccb17462df18efee7561a95

SHA1
60b6ae76d258f3df02cd7d73053f5c19d40ec0a6

SHA256
df5debad9283c7e914b88e26aa81d16cf57e8fd7550319a499bcc6460e68befd

SHA512
3fcbacdc2fd29a2410abb377dc9a81f6f89656d22cb4861dc338132d609b7ed5e5e126a5a2870c829b78f5acc01b66a1e4de627bf11974616548a45052166b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun41.bat

Filesize
130B

MD5
d2974718dedfba615bcccbedbcdca3ea

SHA1
d2edecfa8c6f09be11bc1dd702e9ace63cc3cfda

SHA256
59498b25dca2e0162f34d6d00c842d85be117a3619f7f435e6790844b9616d47

SHA512
695752d8cf03a06bc9fb45de168e84d81b801a65215c0b14bfbcc35e5eb8cf26da3da6ca93deff9e2a3f3e36b66eeb1926941610d4808c5f1d10a8bbbd656033

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun44.bat

Filesize
130B

MD5
49cd0b7d8dcbc470c63ec92f1f3acfc5

SHA1
ddf1ef8746b5e868df2ba783c16ae4b041b6989b

SHA256
11ed30db9de31ee899c81db4bd9e55d96577884e2f92c6688ac0d7f8a53e592a

SHA512
54f09793749aeefff03cb82045d379dc6c098e4059ba30d5d2f84d72411e989efe4322719db55de20bbae51206252961bc4128496225b2dbe799cf138be6b162

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun49.bat

Filesize
142B

MD5
f996bfa141e4e8db400015f6e33672a5

SHA1
e3a4e748fa1e87499c4e603acb1ff5dacf9b8ea3

SHA256
7ab1c4ef5d907cc2c13124dbf4f4c32f8f47ed04326a60c62114b23a3b393415

SHA512
21367d5a6dcc3d734160d44fa24eb416fb0d95c633ffc2088f04c33f1759f538b83617098d21dfe291569048d29a733ae4a91789692111989968c89fd31d9329

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun7.bat

Filesize
129B

MD5
82cdba7e18488f0c4fada43ef4656afb

SHA1
2442579c715d4b39a73c7f07bc5d1bd4a823c37c

SHA256
9807a9a32763631a7f21d40746c065f92bb0c2cc4ce00b7e415133de2861acef

SHA512
ac18889897437ef7d0b02bb94066ea0a917cb256313b52e86b5e375693297d150c3fa04f721701961a1c3d0b447c58b8e377c6b94b1e6ab6a26378247e07b0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun89.bat

Filesize
195B

MD5
101ecbf2a18240cd0c44500d88ddcd94

SHA1
72223a8edc37c912a376c172ac687db89a761d63

SHA256
41930096a9dbbcf1123a6d261d218ea6a4abdcffa1f57dba0ab3bf71dedea7dd

SHA512
72c966f53f33fd15a41444d4d6a6a577a6825143ee803cad96d96c1c72dc6d722a335bde50fb61c544244d3a231e3f9a52bf440ab51ae58ba040bbc4150557e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Filesize
1KB

MD5
5dbd63cbc40b2ea01c3c0494f5ba7457

SHA1
24b93c7e55e1643b309d6641fff4e2ff9e244429

SHA256
38b7d18a52d5a264b2073ba3e9cdff4fa3cf38ee36b53dcd131f81f5b412584b

SHA512
b925e638b06f698fe798052a79027b328d1ab77b848a2c59beeeba33409962b0e311ee5b466bed2f35d2857944c8fc5fc316317f1856a75442424e4af5e1d741

Download Submit
C:\Users\Admin\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
a6e56d0cb56fb67161c56f4803e7440c

SHA1
f5545a25e028e0b699878c3c6be8f20a5e82ada4

SHA256
84bc8babad3e65550d4c12b45b7125e3cdf1759a0d13bd7719f68cd91c5f9128

SHA512
4a8b4e6cc6e901d1c60c6cf7e2693aaeeb6e5c4fd6800199c227aa95f83d16627e44f5b09ed55c9f7f3966bdc05ac0ed8f9a96089f284e4139228cf96e33402a

Download Submit
C:\Windows\SysWOW64\Pnkx.exe

Filesize
298KB

MD5
6c13b03b53eb6ca8455c84779f6ce8bf

SHA1
074004075af6ad6447af2f14a58ed8917106fe46

SHA256
7b999b3f9910782941969cd5200839d65887f49d0c8606f07ce372b3519c1184

SHA512
6bfda5627a3e1c15a6cd49f2e92812b49895317318cd7262d7a863fffcb41fd268a8c27826dd1d97be74f8c79cd0aee8d0b81d805a5d662d58d6ea374d575dc7

Download Submit
memory/3060-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3060-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3060-87-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads