795543ba901156c539e9e32a475c5433d7752d54622deefba964ce20cc210e06

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe
Size

146KB
MD5

0472c89e83f68ecaa5116145d94b6491
SHA1

79047ef858d080bbc95bb9f54272a84006adf5e8
SHA256

795543ba901156c539e9e32a475c5433d7752d54622deefba964ce20cc210e06
SHA512

16025a6ea1aaf4dec4ffba3dccd3488a411268258d08c272744a6cd76be02d0db709c2007100c97c67b23f0e3b987d8fe0dba9d0ea20dc397e3065bdf4ec2068
SSDEEP

3072:f9BQf+L0ghfXmsHHFLXPi+8iJeWqKj6Pu7hcP6wymfqyMO:f9uWL0gh/mIHFDPi+5J9pe2CCw/NMO

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SE.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Maxthon.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KylinBrowser.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IERepair.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tango.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XWebStar.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IERepair.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GreenBrowser.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tango.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaaYaa.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhinanzhenbrowser.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vu.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaaYaa.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MyIE.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MyIE.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SogouExplorer.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "C:\\WINDOWS\\system32\\ruixing.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winpatrol.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winpatrol.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MiniIE.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdoIE.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iemate.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TouchNet.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\See9IE.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kastray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\theworld.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTraveler.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\suda.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iemate.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SogouExplorer.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hsreg.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTraveler.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KylinBrowser.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Start.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\top.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avant.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MiniIE.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Start.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XWebStar.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kastray.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vu.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TouchNet.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\See9IE.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhinanzhenbrowser.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hsreg.exe\Debugger = "C:\\WINDOWS\\system32\\ruixing.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe\Debugger = "C:\\WINDOWS\\system32\\ctfmon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Maxthon.exe\Debugger = "C:\\iexplor.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\suda.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avant.exe\Debugger = "C:\\iexplor.bat"	regedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\D\ = "É¾³ý(&D)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\ÊôÐÔ(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\·ÃÎÊ(&H)\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\·ÃÎÊ(&H)\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\ = "·ÃÎÊ(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\D\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\ÊôÐÔ(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\·ÃÎÊ(&H)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\·ÃÎÊ(&H)\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe %1 http://www.baidupc.com"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\ShellFolder\Attributes = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\D	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\D\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70831953-2516-2516-2516-602478009462}\Shell\ÊôÐÔ(&R)\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regedit.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2672	regedit.exe
2740	regedit.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2944	1972	0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2944 wrote to memory of 2652	2944	WScript.exe	31
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2672	2652	cmd.exe	33
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2740	2652	cmd.exe	34
PID 2652 wrote to memory of 2640	2652	cmd.exe	35
PID 2652 wrote to memory of 2640	2652	cmd.exe	35
PID 2652 wrote to memory of 2640	2652	cmd.exe	35
PID 2652 wrote to memory of 2640	2652	cmd.exe	35
PID 2652 wrote to memory of 2640	2652	cmd.exe	35
PID 2652 wrote to memory of 2640	2652	cmd.exe	35
PID 2652 wrote to memory of 2640	2652	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0472c89e83f68ecaa5116145d94b6491_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\dygod.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\bdr.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s keysh.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2672
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s 1123.reg
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      System Location Discovery: System Language Discovery
      Modifies registry class
      Runs .reg file with regedit
      PID:2740
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /regserver
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1123.reg

Filesize
7KB

MD5
56b7eaeda6367b7e0ba249d83f5cc020

SHA1
4aca94f7517b636b6c663d9abbf5577a79232c8d

SHA256
04f2029dfd84b5fe08bccdbdce99dd081a62b76ea018d61b5befc3e088f5cb18

SHA512
0424d8637f04ce8bf35848523c6bd5da6652490e3cc8f40c4e762105f3d606c24bb43a275e9c9de954fc89c5847501c1af5db37931c5aa998d264a1c40a9f576

Download Submit
C:\\Internet Exp1ore.lnk

Filesize
1KB

MD5
5d0f5e00c3f310fd6daccd2c69d42513

SHA1
688109a4a821345d23594f3426fe383fcb75ae3c

SHA256
22b18d5f1413f08a07dbbfaed4fb6d27895376819ae4fe908c0223e63d3d55bc

SHA512
c8ffd2c9b55b69313fdd0c5d9dcce924daad42208ff6427f153cbf70f626e1bcdda803b1f4e13c67784460bd5fc0bbebb6f5a2619f9dda791afb174249ff59d8

Download Submit
C:\bdr.bat

Filesize
665B

MD5
e6db6a9de8aaa85b6d3ffc4b2154be4f

SHA1
52bf30911874d916457be2916287503edc8bf3b4

SHA256
77933f93b56a0c5e7039fbf856d3d2e347dc0f8ff731cda5e6bcea1a676136cc

SHA512
171f63765729cdb30e5e04c860d39ea3e763e7c0a8966207ef267f393ad43fa8b4eaa6bd601bd8432d4cec5d52e832fce29ea208f67c9ba409b194ee435111a1

Download Submit
C:\dygod.vbs

Filesize
134B

MD5
03fda96f8372449800ed729b9e44cd88

SHA1
0ef035efdcfe8008212718ddf16a5b16d279629c

SHA256
8895549f0782054e69cc5c8a91780291df4d99ab928b3b25fb6054c8a537953c

SHA512
9dc827f199e34e1b3619af54901c58e48942a71162835d588581a336d45d744f8266c4ff754ae2f30b89fba0f319f65e572909ec31eb7bc92b26b9f7ad516bbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads