Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 05:47
Static task
static1
Behavioral task
behavioral1
Sample
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
-
Size
388KB
-
MD5
1fe6fdfb7796bf1ec5bdf80f86fa9dc5
-
SHA1
c4f86755ca60567fedc3a05ce88c4a342219c8b4
-
SHA256
a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
-
SHA512
22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
-
SSDEEP
6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5
http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5
http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5
http://xlowfznrg4wf7dli.ONION/BA1B1583073DEA5
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2688 cmd.exe -
Drops startup file 3 IoCs
Processes:
dyeopbpvfjhn.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kdpef.png dyeopbpvfjhn.exe -
Executes dropped EXE 2 IoCs
Processes:
dyeopbpvfjhn.exedyeopbpvfjhn.exepid process 2232 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dyeopbpvfjhn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fblixqmmhrex = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dyeopbpvfjhn.exe\"" dyeopbpvfjhn.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedyeopbpvfjhn.exedescription pid process target process PID 2868 set thread context of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2232 set thread context of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dyeopbpvfjhn.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Uninstall Information\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css dyeopbpvfjhn.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg dyeopbpvfjhn.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\System\ado\Recovery+kdpef.txt dyeopbpvfjhn.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+kdpef.html dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\Recovery+kdpef.png dyeopbpvfjhn.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Recovery+kdpef.png dyeopbpvfjhn.exe -
Drops file in Windows directory 2 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\dyeopbpvfjhn.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe File created C:\Windows\dyeopbpvfjhn.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exeDllHost.exe1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.execmd.exedyeopbpvfjhn.exeNOTEPAD.EXEIEXPLORE.EXEcmd.exedyeopbpvfjhn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyeopbpvfjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyeopbpvfjhn.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F818EC51-858B-11EF-A701-7E918DD97D05} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d592cc9819db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000087b3eca2b04150b1ecce22023609334bd7c4e8ee6aaf9f94e4147bcfdf2974ee000000000e8000000002000020000000b3894fdb05284f8b7a4fba8a750b940c8bc9582008337e7b03b6f9674f8d8c6d90000000c20a58f663ee210dbff3a387c3488b386bf375076ee3058e0b827dda551f6de92a2237e555a41da34b9d90d9e430cf105b56616aca28fddb1950508bef041f86b65903e84cef14599c3fc1fd36f70d5dddb4ac7b3d260328e2c5cf50f42c2af7e312c5a2bb27464a5f1787759306f75ad61ae5f67a3489e806ba4fde5b104cc385177ec6061fecd736264027beec1ced40000000808d123fc2038a365624b60e9f6a9267031b0a3c7ddc9c108f5d00ddd48500096eefdd0533c18989322295ce865d97021fca8febfb1d6ad7babbcc3a14d59496 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000005980ce0884d51fb9f62f4a20520ee4ab080a69a773bbea202045e925ad67539e000000000e80000000020000200000007765f8c6a88e256f64703608a4a5571c1f575f76cb177b92524a40c6242d810a200000006f9c2e9ad931b78328de2426e2a43e558619a41a92c63a20bb3fd8bf620b0e6840000000b3143f5322beb78ca14ac52ef04fd0cfb131723e8af8fdd21fbdc803f7e9e575000d2b1133d41c96c3e67eca3c2dcd73963adcedf661ddab0a8fb62cd6885f99 iexplore.exe -
Processes:
dyeopbpvfjhn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 dyeopbpvfjhn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 dyeopbpvfjhn.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 624 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dyeopbpvfjhn.exepid process 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe 2596 dyeopbpvfjhn.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedyeopbpvfjhn.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Token: SeDebugPrivilege 2596 dyeopbpvfjhn.exe Token: SeIncreaseQuotaPrivilege 1876 WMIC.exe Token: SeSecurityPrivilege 1876 WMIC.exe Token: SeTakeOwnershipPrivilege 1876 WMIC.exe Token: SeLoadDriverPrivilege 1876 WMIC.exe Token: SeSystemProfilePrivilege 1876 WMIC.exe Token: SeSystemtimePrivilege 1876 WMIC.exe Token: SeProfSingleProcessPrivilege 1876 WMIC.exe Token: SeIncBasePriorityPrivilege 1876 WMIC.exe Token: SeCreatePagefilePrivilege 1876 WMIC.exe Token: SeBackupPrivilege 1876 WMIC.exe Token: SeRestorePrivilege 1876 WMIC.exe Token: SeShutdownPrivilege 1876 WMIC.exe Token: SeDebugPrivilege 1876 WMIC.exe Token: SeSystemEnvironmentPrivilege 1876 WMIC.exe Token: SeRemoteShutdownPrivilege 1876 WMIC.exe Token: SeUndockPrivilege 1876 WMIC.exe Token: SeManageVolumePrivilege 1876 WMIC.exe Token: 33 1876 WMIC.exe Token: 34 1876 WMIC.exe Token: 35 1876 WMIC.exe Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe Token: SeSecurityPrivilege 2028 WMIC.exe Token: SeTakeOwnershipPrivilege 2028 WMIC.exe Token: SeLoadDriverPrivilege 2028 WMIC.exe Token: SeSystemProfilePrivilege 2028 WMIC.exe Token: SeSystemtimePrivilege 2028 WMIC.exe Token: SeProfSingleProcessPrivilege 2028 WMIC.exe Token: SeIncBasePriorityPrivilege 2028 WMIC.exe Token: SeCreatePagefilePrivilege 2028 WMIC.exe Token: SeBackupPrivilege 2028 WMIC.exe Token: SeRestorePrivilege 2028 WMIC.exe Token: SeShutdownPrivilege 2028 WMIC.exe Token: SeDebugPrivilege 2028 WMIC.exe Token: SeSystemEnvironmentPrivilege 2028 WMIC.exe Token: SeRemoteShutdownPrivilege 2028 WMIC.exe Token: SeUndockPrivilege 2028 WMIC.exe Token: SeManageVolumePrivilege 2028 WMIC.exe Token: 33 2028 WMIC.exe Token: 34 2028 WMIC.exe Token: 35 2028 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 2488 iexplore.exe 1780 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEDllHost.exepid process 2488 iexplore.exe 2488 iexplore.exe 2528 IEXPLORE.EXE 2528 IEXPLORE.EXE 1780 DllHost.exe 1780 DllHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedyeopbpvfjhn.exedyeopbpvfjhn.exeiexplore.exedescription pid process target process PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2868 wrote to memory of 2296 2868 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 2296 wrote to memory of 2232 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dyeopbpvfjhn.exe PID 2296 wrote to memory of 2232 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dyeopbpvfjhn.exe PID 2296 wrote to memory of 2232 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dyeopbpvfjhn.exe PID 2296 wrote to memory of 2232 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dyeopbpvfjhn.exe PID 2296 wrote to memory of 2688 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 2296 wrote to memory of 2688 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 2296 wrote to memory of 2688 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 2296 wrote to memory of 2688 2296 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2232 wrote to memory of 2596 2232 dyeopbpvfjhn.exe dyeopbpvfjhn.exe PID 2596 wrote to memory of 1876 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 1876 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 1876 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 1876 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 624 2596 dyeopbpvfjhn.exe NOTEPAD.EXE PID 2596 wrote to memory of 624 2596 dyeopbpvfjhn.exe NOTEPAD.EXE PID 2596 wrote to memory of 624 2596 dyeopbpvfjhn.exe NOTEPAD.EXE PID 2596 wrote to memory of 624 2596 dyeopbpvfjhn.exe NOTEPAD.EXE PID 2596 wrote to memory of 2488 2596 dyeopbpvfjhn.exe iexplore.exe PID 2596 wrote to memory of 2488 2596 dyeopbpvfjhn.exe iexplore.exe PID 2596 wrote to memory of 2488 2596 dyeopbpvfjhn.exe iexplore.exe PID 2596 wrote to memory of 2488 2596 dyeopbpvfjhn.exe iexplore.exe PID 2488 wrote to memory of 2528 2488 iexplore.exe IEXPLORE.EXE PID 2488 wrote to memory of 2528 2488 iexplore.exe IEXPLORE.EXE PID 2488 wrote to memory of 2528 2488 iexplore.exe IEXPLORE.EXE PID 2488 wrote to memory of 2528 2488 iexplore.exe IEXPLORE.EXE PID 2596 wrote to memory of 2028 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 2028 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 2028 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 2028 2596 dyeopbpvfjhn.exe WMIC.exe PID 2596 wrote to memory of 2164 2596 dyeopbpvfjhn.exe cmd.exe PID 2596 wrote to memory of 2164 2596 dyeopbpvfjhn.exe cmd.exe PID 2596 wrote to memory of 2164 2596 dyeopbpvfjhn.exe cmd.exe PID 2596 wrote to memory of 2164 2596 dyeopbpvfjhn.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
dyeopbpvfjhn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dyeopbpvfjhn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dyeopbpvfjhn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\dyeopbpvfjhn.exeC:\Windows\dyeopbpvfjhn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\dyeopbpvfjhn.exeC:\Windows\dyeopbpvfjhn.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DYEOPB~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1FE6FD~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1780
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD542b9defa3c22670549c88c352eebd7c8
SHA18e75bab6dba473467b10f25b58c0b1cb8347416d
SHA25639a9e3af76ed44b8afa73bda85e2629657d20c24ec91ed076fd0ab87e4901ce4
SHA5128153a4933d4d94920778fc0cf052e16d040a397a714d495d88e533f97778626d7767540e5103f08906f04d40dc58106589eb900491db628b5e3f03166ed95b64
-
Filesize
63KB
MD544b9c66b8f1f99be6198f07bae10a01e
SHA16784a62d466bf1383f74558b5a9075f1e8ab4a1a
SHA25683d57950fbc1866457985347ee26040959ce509e19beecb96a605217481ea315
SHA512832da429a963a7ca02375cc166ee5bf10ee338bc964df79f9d096ab25fde28b937de07792638ca955ad21a88c699c68cb5fdbd443945ade0605976dd5c5132da
-
Filesize
1KB
MD599bf04db906bf51557959c671dba9ee2
SHA112fcd234e530855508e205310bd01ffa43f73beb
SHA256457f521625205d8924d851161c69642158b8fcf9ec3927758b3ed363426ea52a
SHA5121a5285fa7b226b783e0c98ca8318c290814f2393e7cf48a34c6d02d227a67a51f2b154a10eb4d39d3e7b3e70f5ecfd7f25b66572a0c7d417f92ceeeabb62bec2
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5782cd194cf17ef48b35f2a776f0b5a1c
SHA1ecac2aeb08b0cb165fe63670e787b69c4ee48b25
SHA2560d9a172cc228eca8a8df0656fd2ec4b0adc88689dd4f4674a3be24774dbc5f5d
SHA5129622b74c5e0b5d0380766299ae02ab99a26cc9f11768828d754ff22ea854323770bec358cfcf0ff33cf34ecf8469c9dd63c2422ee493a0d634e150561c7a08d5
-
Filesize
109KB
MD53d8f07eb400a297cdfb4984b9d9fee02
SHA13556e686330321597184e80b2f0749cc5b2abf4a
SHA256346860aa3001b014febe0925af8a014d1e207fc89b091a45f808dd9f3e5669b7
SHA512a9b6878d017d3e0261383704c6eebe5c76a947b7385005e44826b107da992bea0ac906d584ed4c480023c952bc3c1854c57c20de460e193f6e846a7e64bcc7c5
-
Filesize
173KB
MD5102bbbc947d6c89fc55c96412f94c13c
SHA167157082ee09afcb35ad4e4876a7fe4172f1290c
SHA25656e5f9e1823e49ab81011cbfadbdac2c208d35abdbd8d39ef8f0a2305c005227
SHA512ade23c7e730c7d52c650db4e5b632943b50613eade203565fa1f81555e4fab22947df46815c98fb5810e33d0ea55da58e5e3e7b8a504fc3d58384983c6265f84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf49d353c14e0c95eb076eca342c6c40
SHA1e10fded1e24f59636ca3f0466a32bcad856ae7e6
SHA2566cbb24f8c255cddbbbe07af8a923c1d556d64c635521373b7d023883e72d25b6
SHA51268f74236c8186acfd503d3a135e90c0d5f3d2fc197b92494f3b50e3ed8878d46508ad7de444c5d04e876b95cc183b3c394c14cca6057d05780a3ed1642aeb9f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50291c04a5412c381f4d0d31b50c3e58b
SHA11e90ee48578b3951fbcf7c6b147e3661db3e9d27
SHA2564f4a45084290e46fbcaa433bdcd970938ff9f8854af45cea2ce347ce00828d96
SHA51273f6b36e7b642c9643db27463b6d45861d1c493ee9a3fd64d45facbce61fb3927c16c40f40774307601717a6f4cf083c07ba307ef47c0f633d39171887acec9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa71d9dd57ab89282ec8fddb576dfef4
SHA1f1134b2b062a712a86512f457acd0b0ffc0b899c
SHA256b95593117db837dbdc393f6fa7cf5bb99ca4b3bef08789231e34499a786a8866
SHA51289af5b8a24daf5fd7a81cc4eabbe8ad4ae4a5362680b6a5ae9a5aa4fc692e67d9b8e3495443e1d56ccf932da82e61e1989b928a25a06afd9dc2086f92b858209
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558a09d82c1e9fc1f11997ee87632b3cc
SHA18d16af332f6a6f97fa3f2040e50a3a6176e6f9d4
SHA2563f895e9fb596e8222ae24d4eeade20423515a7b4fa9c49b8ae3f4274376c1ae6
SHA5124b12d2eaf90e4fa06ba59ca281eb965d0fde9127d546a0d6582b929fddc494c70af889187c0558e7d51b266306bd5d18d57dda0dff248ab89c2086c5efce9a38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5821bbce4b74071d898ac736a7d04b960
SHA12f7f47d3563c2fb8c2d6720a914b821275646a0c
SHA256132f85fdb4bfe83431ba0d8fd5e16e98fa12e89236c32ce18b5101cc2761d828
SHA512f31bbc64f48d1ded897fd476e85242a43731e9b5da21ec3e229c32833eafca4ddbf987a29ef90ef5252a16b3146c807c47ff5cd52c6966b13be89a5ae09cf5a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5467e9a92d5a31f4f8b3d58b0303c5781
SHA122eb2cdeffc6bf46b69509edb3f24b5246059a24
SHA2560cc956dfb2d39e25c3e2f6661aa04a704d7ef016b1191aa2bd82d534ba470a7b
SHA5122dd34549dc3f3054bcfd9291460ffd44083c6426dc7c370d3877e972914be48d5ef0e60b3e9a06021f2a4bf79a0acf24e15acd84ce80bd4747cb95a3e9049ebf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d42385feeb3d43274ca0eb296e693a15
SHA1cd98dcb7c6087e9d649c7422de51cd5723e76dd0
SHA25639aec1305594ff4ec10686d4c46cdf3dabde47f8ae16e4486a1671a2561f36b3
SHA5123f60debe9bd7cbb5af265e4242c0924d134f522a38692e0e9c2480dd44c6ae45ccb23b84113eebdf1f6541b2bb080fe74c07dcb65dcbc9d2cfd97d8b95a23df8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dad42d8c78c467b0552770f00621841d
SHA117a5ff854247f6cbfaf68dd4efee6fac019ecfe8
SHA2568ee734fbedcc95654445ed3ef4743277f91fd5b894aff4a2a12c2d7c2927798a
SHA512b3a47ec3b4eeb1a8b29a3a8f9572f0e4812ff2f846f48121c3c2ea2d83487766fe57e738c4e002ffdfcbc86fba0f7a062bc42f9f9d00a4c847df9470104b0e3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d4350970e4e0b3287f4eb1e76b6bf45
SHA1a97d87ccb5b58ea95c71f77a8bf7434804ce3cbc
SHA2566038532a64dd4ad6dbcee2954351782e0bb6d245a04488c96f6d989e26d87547
SHA512aa31ea435add14c7a4f22a9acf3459f061e7f3b7a26a366d026aac332bd9e993fed13ef2e736f119bfdc127f85791d58ed830da6945dfca00a822ad2183d0ef1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
388KB
MD51fe6fdfb7796bf1ec5bdf80f86fa9dc5
SHA1c4f86755ca60567fedc3a05ce88c4a342219c8b4
SHA256a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
SHA51222cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6