Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
2ab67006fad0b7b4e8fb6496e221a529
-
SHA1
47f849e72bd7d203755775eebef19e1efa71ee19
-
SHA256
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
-
SHA512
a6ed4b8ae46d5bfdc802054c8ca428500473d29a736e1277c9654c6dfa2ae481a9e5fe0c505e0be0beddc86f880d0212483014968f41e5d93c15190877b16452
-
SSDEEP
98304:HnGhGTPqSqfA0kWqa+5RmaH9ieepOs6435I58hsNcA5Pa:mBI02a+5gageepOs6435I58hS
Malware Config
Extracted
gcleaner
ggc-partners.in
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Socelars payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2.exe family_socelars -
OnlyLogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1148-288-0x0000000000400000-0x0000000000910000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 5.exe -
Executes dropped EXE 11 IoCs
Processes:
Chrome 5.exe1.exe2.exe3.exe4.exe5.exe6.exeBearVpn 3.exe7.exe5.exe8.exepid process 1704 Chrome 5.exe 1776 1.exe 4916 2.exe 5052 3.exe 1148 4.exe 3400 5.exe 1996 6.exe 4080 BearVpn 3.exe 4136 7.exe 2808 5.exe 2916 8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
Processes:
2.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json 2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 6 iplogger.org 7 iplogger.org 9 iplogger.org 11 iplogger.org 23 iplogger.org -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in Program Files directory 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2800 4080 WerFault.exe BearVpn 3.exe 844 1148 WerFault.exe 4.exe 4240 1148 WerFault.exe 4.exe 2908 1148 WerFault.exe 4.exe 2272 1148 WerFault.exe 4.exe 2324 1148 WerFault.exe 4.exe 4936 1148 WerFault.exe 4.exe 2008 1148 WerFault.exe 4.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5.exeBearVpn 3.execmd.exe2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe2.exe4.exe5.exetaskkill.exexcopy.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BearVpn 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dwm.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
dwm.exedwm.exexcopy.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3444 taskkill.exe -
Modifies data under HKEY_USERS 36 IoCs
Processes:
dwm.exedwm.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 4972 2908 2228 4496 2652 4080 1912 4676 100 380 1896 1612 5100 4900 3428 3680 3044 3440 1132 328 1564 640 1476 3788 4084 2316 2636 4576 2568 2880 4232 1248 4412 1288 2096 4236 1088 4652 4980 1856 2368 3408 4112 716 4812 1084 3400 2376 3504 4092 3868 1732 3236 1220 3296 2964 3676 2204 2524 3144 3808 2844 3716 3404 -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
2.exe3.exe1.exeBearVpn 3.exe8.exe7.exetaskkill.exedwm.exedwm.exedwm.exedwm.exedescription pid process Token: SeCreateTokenPrivilege 4916 2.exe Token: SeAssignPrimaryTokenPrivilege 4916 2.exe Token: SeLockMemoryPrivilege 4916 2.exe Token: SeIncreaseQuotaPrivilege 4916 2.exe Token: SeMachineAccountPrivilege 4916 2.exe Token: SeTcbPrivilege 4916 2.exe Token: SeSecurityPrivilege 4916 2.exe Token: SeTakeOwnershipPrivilege 4916 2.exe Token: SeLoadDriverPrivilege 4916 2.exe Token: SeSystemProfilePrivilege 4916 2.exe Token: SeSystemtimePrivilege 4916 2.exe Token: SeProfSingleProcessPrivilege 4916 2.exe Token: SeIncBasePriorityPrivilege 4916 2.exe Token: SeCreatePagefilePrivilege 4916 2.exe Token: SeCreatePermanentPrivilege 4916 2.exe Token: SeBackupPrivilege 4916 2.exe Token: SeRestorePrivilege 4916 2.exe Token: SeShutdownPrivilege 4916 2.exe Token: SeDebugPrivilege 4916 2.exe Token: SeAuditPrivilege 4916 2.exe Token: SeSystemEnvironmentPrivilege 4916 2.exe Token: SeChangeNotifyPrivilege 4916 2.exe Token: SeRemoteShutdownPrivilege 4916 2.exe Token: SeUndockPrivilege 4916 2.exe Token: SeSyncAgentPrivilege 4916 2.exe Token: SeEnableDelegationPrivilege 4916 2.exe Token: SeManageVolumePrivilege 4916 2.exe Token: SeImpersonatePrivilege 4916 2.exe Token: SeCreateGlobalPrivilege 4916 2.exe Token: 31 4916 2.exe Token: 32 4916 2.exe Token: 33 4916 2.exe Token: 34 4916 2.exe Token: 35 4916 2.exe Token: SeDebugPrivilege 5052 3.exe Token: SeDebugPrivilege 1776 1.exe Token: SeDebugPrivilege 4080 BearVpn 3.exe Token: SeDebugPrivilege 2916 8.exe Token: SeDebugPrivilege 4136 7.exe Token: SeDebugPrivilege 3444 taskkill.exe Token: SeCreateGlobalPrivilege 5088 dwm.exe Token: SeChangeNotifyPrivilege 5088 dwm.exe Token: 33 5088 dwm.exe Token: SeIncBasePriorityPrivilege 5088 dwm.exe Token: SeCreateGlobalPrivilege 2068 dwm.exe Token: SeChangeNotifyPrivilege 2068 dwm.exe Token: 33 2068 dwm.exe Token: SeIncBasePriorityPrivilege 2068 dwm.exe Token: SeCreateGlobalPrivilege 3444 dwm.exe Token: SeChangeNotifyPrivilege 3444 dwm.exe Token: 33 3444 dwm.exe Token: SeIncBasePriorityPrivilege 3444 dwm.exe Token: SeCreateGlobalPrivilege 1008 dwm.exe Token: SeChangeNotifyPrivilege 1008 dwm.exe Token: 33 1008 dwm.exe Token: SeIncBasePriorityPrivilege 1008 dwm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe5.exe2.execmd.exechrome.exedescription pid process target process PID 1968 wrote to memory of 1704 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe Chrome 5.exe PID 1968 wrote to memory of 1704 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe Chrome 5.exe PID 1968 wrote to memory of 1776 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 1.exe PID 1968 wrote to memory of 1776 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 1.exe PID 1968 wrote to memory of 4916 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 2.exe PID 1968 wrote to memory of 4916 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 2.exe PID 1968 wrote to memory of 4916 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 2.exe PID 1968 wrote to memory of 5052 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 3.exe PID 1968 wrote to memory of 5052 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 3.exe PID 1968 wrote to memory of 1148 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 4.exe PID 1968 wrote to memory of 1148 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 4.exe PID 1968 wrote to memory of 1148 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 4.exe PID 1968 wrote to memory of 3400 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 5.exe PID 1968 wrote to memory of 3400 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 5.exe PID 1968 wrote to memory of 3400 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 5.exe PID 1968 wrote to memory of 1996 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 6.exe PID 1968 wrote to memory of 1996 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 6.exe PID 1968 wrote to memory of 4080 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe BearVpn 3.exe PID 1968 wrote to memory of 4080 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe BearVpn 3.exe PID 1968 wrote to memory of 4080 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe BearVpn 3.exe PID 1968 wrote to memory of 4136 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 7.exe PID 1968 wrote to memory of 4136 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 7.exe PID 3400 wrote to memory of 2808 3400 5.exe 5.exe PID 3400 wrote to memory of 2808 3400 5.exe 5.exe PID 3400 wrote to memory of 2808 3400 5.exe 5.exe PID 1968 wrote to memory of 2916 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 8.exe PID 1968 wrote to memory of 2916 1968 2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe 8.exe PID 4916 wrote to memory of 1628 4916 2.exe cmd.exe PID 4916 wrote to memory of 1628 4916 2.exe cmd.exe PID 4916 wrote to memory of 1628 4916 2.exe cmd.exe PID 1628 wrote to memory of 3444 1628 cmd.exe dwm.exe PID 1628 wrote to memory of 3444 1628 cmd.exe dwm.exe PID 1628 wrote to memory of 3444 1628 cmd.exe dwm.exe PID 4916 wrote to memory of 4384 4916 2.exe xcopy.exe PID 4916 wrote to memory of 4384 4916 2.exe xcopy.exe PID 4916 wrote to memory of 4384 4916 2.exe xcopy.exe PID 4916 wrote to memory of 3236 4916 2.exe chrome.exe PID 4916 wrote to memory of 3236 4916 2.exe chrome.exe PID 3236 wrote to memory of 2196 3236 chrome.exe chrome.exe PID 3236 wrote to memory of 2196 3236 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ab67006fad0b7b4e8fb6496e221a529_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"2⤵
- Executes dropped EXE
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4384 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd860fcc40,0x7ffd860fcc4c,0x7ffd860fcc584⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 6243⤵
- Program crash
PID:844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 6323⤵
- Program crash
PID:4240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 7563⤵
- Program crash
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 7803⤵
- Program crash
PID:2272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 8323⤵
- Program crash
PID:2324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 9083⤵
- Program crash
PID:4936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 12563⤵
- Program crash
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe" -a3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"2⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 16843⤵
- Program crash
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4080 -ip 40801⤵PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1148 -ip 11481⤵PID:2280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1148 -ip 11481⤵PID:4672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1148 -ip 11481⤵PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1148 -ip 11481⤵PID:924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1148 -ip 11481⤵PID:3440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1148 -ip 11481⤵PID:4048
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1148 -ip 11481⤵PID:4788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3312
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3464
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1628
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1808
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1432
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5ba6b120e1ef1f622818f117ce8f543e4
SHA12cdb0dde23dc940b71e2bd73093e9c3f96d18b35
SHA256f68bd747359e60f8c3dcd236aaba0cd48fda4b6d4dd369835e874eb6f346f609
SHA512c30a39bfec22cd22709466c43256a03e43cd6fcb0c1995cfb25ccc1ba4192f2e4019ccf448c787e07db180df39d9e0ee94c3da0b0bfeda69054992e653a65689
-
C:\Users\Admin\AppData\Local\Module_Art\7.exe_Url_thzg1wxz05m0mfarelentuphoh3agof2\1.2.1.0\jse31v4t.newcfg
Filesize1KB
MD5d71a12b7aa02592b03878877eb133425
SHA1899c5404464c3efed66534207d0245e0cf050488
SHA256b44c3fa39198be28e0e723fd458eae31a5f05041926917fe11e2b265aa0cbee4
SHA512ae0733fe01b479f4ad291ac1180ae9f9b5833fa072001c40728d9f26d4aa9e94ec0239432df16cad35c2675b41d58c6e599fbd0dbc1354d297ab8bca30cd4441
-
C:\Users\Admin\AppData\Local\Module_Art\7.exe_Url_thzg1wxz05m0mfarelentuphoh3agof2\1.2.1.0\user.config
Filesize842B
MD51b02b89ab3872d00c6a46cb4a7048dc9
SHA10840aefbbe40a00d7290d32ce8243de3cf98339e
SHA256ac8517efbed88850a40943fbd667d9a06f6a156f0031109f59b4ca821aa22fd4
SHA5120eeee6c2cf1eaa11d561ba17ed65caf97e069b5ccbf7420c3ae4bf88859f1273034a600da91620411b12cd3241dcfabdc8d4ddd58218f2781254ac6ccf1fa419
-
C:\Users\Admin\AppData\Local\Module_Art\7.exe_Url_thzg1wxz05m0mfarelentuphoh3agof2\1.2.1.0\user.config
Filesize964B
MD58e18625cd36f0075da4bf0ce8fac8204
SHA10df80ad1c5ea9bddcb5cfcf2c60c6fb3db903216
SHA25635799f5570b76aa51478e74ea9d1c42b39be157c3953a2b44047dd3ed2e629b1
SHA51274d8be6cddfc1c13acb30c18752d93ef8d57348b8b29220914ecb126ae8459318dd150b2f51299870119bdb6483f35417baa988c688f0f621512c5a47e227c26
-
Filesize
178KB
MD541991f83e362a3deb76ac8113f057012
SHA119f26c609bd9ea85e6f51284857c0be3601fb847
SHA256e71969fd2ce59cd4dae96e6e844803629fae4fa749c48824cd560d2606e28899
SHA512c94f529ab1164a08816d72ed4131488307eaa181b8be9290866c2dd899b49a404779e43909862e5d4774f85041b629d8642eeedb69ca594e812eb556714e463e
-
Filesize
1.4MB
MD5fb5ee4c6d208ccf26bb93b4f868475b9
SHA19f1eff363fbe71c895c76502ecaa33fe8e078383
SHA256614f6b18d9a64fba2adad94f376716845ae96ea6507952ea94027093184ae376
SHA5128bcdde4614dee6be3c76d77cc598e654c6993d7e6ec1990ff8c8c6c0a91ee9d5c50f0be21c35570d746408be50d33ebef766318bfcd14e86e941662180c41f4e
-
Filesize
8KB
MD59323e70f1f2169ed31a1b3f130804833
SHA1d9a5fea3bdd54d4509f6228fa32c7164e864df66
SHA2566fe7d70e9a5c92dac044cf54d080b64ec4fcbc08ea405e84533f74ced0e0400e
SHA512fe9a4868f32a447fc757fef9753c049d2fc2af7fa47eee398b12813ece7d8414f493cba8c0f05454030e4b434aa7d06886be8e079cda460b05d925f03dbc6807
-
Filesize
357KB
MD54cb45ecf88e52581f5f3c686bcd1a636
SHA14140f1d875473701b15aa37193783384db264ea7
SHA256944816173e25c3a57db52f1f19ce79b0ccb323a2e4129f3e96bfc3c537034360
SHA5123b10318e57c04ef89f8c578891dc5a67ae648bcc1cf39b00b70822bc29d8c050191184a03ae070c98e5c01554945a1766307299b3d9b3a1258e8ef82336b7676
-
Filesize
56KB
MD5e511bb4cf31a2307b6f3445a869bcf31
SHA176f5c6e8df733ac13d205d426831ed7672a05349
SHA25656002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA5129c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c
-
Filesize
900KB
MD5a3e75b6fda5826af709b5e488e7cd9e7
SHA12fce3251b18ff02a06083aa8a037def64a604a78
SHA2568fa23d5fe37e7e0aed12a8917dfb43c186d26771a70c3afcc2f8a540df7b1b46
SHA5126d1f37799f510a0e7fc6bf19a13425aa1225754d654dbc20c84a147161c03d63d5acf9cb7603c22c7533d5ab060ddc12c4c45d4e238f4368e8504514416efc41
-
Filesize
1.5MB
MD5bb1f95fe5f242faf116e1444edd0ae91
SHA142eeab7de61671335a556b665210fcf7128dbae2
SHA256d4396c5a2cf719e160a8da15d3988bcce30642b018ae5a90b4e21575f9961694
SHA51222a0d3b8bc24144a5bdc6f83310b9143388f5d2603a7642a081364317f88485cc84f83098fa07280e2d6dcc54e5f7a81a4f6ed5dee1465bd48c8bb3ffcbbf107
-
Filesize
8KB
MD5a4e4e2aa12867c6d5998641794aed8d5
SHA140af2de01ee3f820f29281c61c570e349fe81d35
SHA256b2ab671fa85e9be643f4154be4cfb363998b10c0e74a160c09fb24eff49d0368
SHA5128c629b0aceb3ad4db789a5945cf092b157878d2eeb87652e3e30adc019a357986bcbc9b23294205803da8a7212c0baa0316b0f38eae78cee77fe66f5da8a8391
-
Filesize
6KB
MD5e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
Filesize
43KB
MD593460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
Filesize
1024KB
MD59a31b075da019ddc9903f13f81390688
SHA1d5ed5d518c8aad84762b03f240d90a2d5d9d99d3
SHA25695cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1
SHA512a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558