Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 10:24
Static task
static1
Behavioral task
behavioral1
Sample
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
-
Size
328KB
-
MD5
2f69faa2bacccf5a61b7c7996c558f4c
-
SHA1
172c3b8d22eb08f491d4c90cd86aaa21b95f5b95
-
SHA256
ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585
-
SHA512
712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578
-
SSDEEP
6144:F4MKA86q6kcKPqCAOFPmvSNQgstAw/u5jp2hnU4ZcRdN1Sgg68:F9x1KNRmKN+/Mk3eBU
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+mrymu.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4AE985BED72EDE5C
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4AE985BED72EDE5C
http://yyre45dbvn2nhbefbmh.begumvelic.at/4AE985BED72EDE5C
http://xlowfznrg4wf7dli.ONION/4AE985BED72EDE5C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (565) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2856 cmd.exe -
Drops startup file 6 IoCs
Processes:
uqwrydmhfrbs.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe -
Executes dropped EXE 1 IoCs
Processes:
uqwrydmhfrbs.exepid process 2844 uqwrydmhfrbs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
uqwrydmhfrbs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwmgoxfccsvg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\uqwrydmhfrbs.exe\"" uqwrydmhfrbs.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
Processes:
uqwrydmhfrbs.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ChessMCE.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi uqwrydmhfrbs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak uqwrydmhfrbs.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css uqwrydmhfrbs.exe File opened for modification C:\Program Files\Common Files\System\ado\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jre7\bin\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_QuickLaunch.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt uqwrydmhfrbs.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\_RECoVERY_+mrymu.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_RECoVERY_+mrymu.html uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png uqwrydmhfrbs.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_RECoVERY_+mrymu.txt uqwrydmhfrbs.exe -
Drops file in Windows directory 2 IoCs
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exedescription ioc process File created C:\Windows\uqwrydmhfrbs.exe 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe File opened for modification C:\Windows\uqwrydmhfrbs.exe 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exeuqwrydmhfrbs.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uqwrydmhfrbs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
uqwrydmhfrbs.exepid process 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe 2844 uqwrydmhfrbs.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exeuqwrydmhfrbs.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe Token: SeDebugPrivilege 2844 uqwrydmhfrbs.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe Token: SeDebugPrivilege 2772 WMIC.exe Token: SeSystemEnvironmentPrivilege 2772 WMIC.exe Token: SeRemoteShutdownPrivilege 2772 WMIC.exe Token: SeUndockPrivilege 2772 WMIC.exe Token: SeManageVolumePrivilege 2772 WMIC.exe Token: 33 2772 WMIC.exe Token: 34 2772 WMIC.exe Token: 35 2772 WMIC.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe Token: SeDebugPrivilege 2772 WMIC.exe Token: SeSystemEnvironmentPrivilege 2772 WMIC.exe Token: SeRemoteShutdownPrivilege 2772 WMIC.exe Token: SeUndockPrivilege 2772 WMIC.exe Token: SeManageVolumePrivilege 2772 WMIC.exe Token: 33 2772 WMIC.exe Token: 34 2772 WMIC.exe Token: 35 2772 WMIC.exe Token: SeBackupPrivilege 1268 vssvc.exe Token: SeRestorePrivilege 1268 vssvc.exe Token: SeAuditPrivilege 1268 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exeuqwrydmhfrbs.exedescription pid process target process PID 2716 wrote to memory of 2844 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe uqwrydmhfrbs.exe PID 2716 wrote to memory of 2844 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe uqwrydmhfrbs.exe PID 2716 wrote to memory of 2844 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe uqwrydmhfrbs.exe PID 2716 wrote to memory of 2844 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe uqwrydmhfrbs.exe PID 2716 wrote to memory of 2856 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 2716 wrote to memory of 2856 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 2716 wrote to memory of 2856 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 2716 wrote to memory of 2856 2716 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 2844 wrote to memory of 2772 2844 uqwrydmhfrbs.exe WMIC.exe PID 2844 wrote to memory of 2772 2844 uqwrydmhfrbs.exe WMIC.exe PID 2844 wrote to memory of 2772 2844 uqwrydmhfrbs.exe WMIC.exe PID 2844 wrote to memory of 2772 2844 uqwrydmhfrbs.exe WMIC.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
uqwrydmhfrbs.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uqwrydmhfrbs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" uqwrydmhfrbs.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\uqwrydmhfrbs.exeC:\Windows\uqwrydmhfrbs.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2F69FA~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2856
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD51c0fb680590153c368357ad3c510a8f0
SHA1b664cbb4c515ae04ea2a1cad5c568648acf4c324
SHA2562282253a4457eac67361806ae8548161dd83405022d201ff6d0a35aa882f8814
SHA51277dab0c9e0ce9bd075950cba958ae4eb007648f2cfded20b176c41eff63d0c35657f5e5e6f7875f76b9e3f83243b47e8d1a8ee981ac4c4900b9be169c31fdbc7
-
Filesize
64KB
MD5e65f5efefc616c8bfd4b14607909ca68
SHA1170d18ad4aacc3d1a2195ed4b186dcd8821934de
SHA256b124dadf160f876977b0dd22b4adcf43afa460e75743aa694c9ef4ad7c2abac8
SHA512ed2eace28be5f4d5103979ae42a2d72f883048f969f82dd697349a65d311b981f0a12170838e3d7d489bf08f298ce632e49b294f77ca35afa055b5db066aa8e6
-
Filesize
1KB
MD5616b6b0ee824dd536b03e1987867ca57
SHA168998e319e3b6fe64ce41c78ce9af26ab1f54e64
SHA2567a781a0a55ba232b0cd54954cda6c7729ae6a6f0e09677e668453feee36d96b8
SHA51274b975dd81c2c6bca58dc46dfe47d1da5a694bd9684f545b8c0ab5b1187dee3a5e58e13589dfe9cee42f7ce6e098e6c6e70d64ab6df587043726afa0a1de56ae
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD53ca9b0ba23fc8a041ec330a73983f0e1
SHA1a696258fe2504a6c9ef297944b8d5984f569243b
SHA256b337f02262a382848788d40407ed25ceb88cfd94e50b299b37fdcd5470fd7b78
SHA512b4ba6c35181c462f41d1f381d7b98bcd98d8dc0567dbe4e070b4a529e26cace243b263578cdb97d6c4f70e31e9b2774fa36234aade59093d746e66e31e0e9a34
-
Filesize
109KB
MD56af75e1bd271930adcd62d8c2107c14a
SHA12d2f5d78fdf82a5821fd89dbbf651e10d6ed06b1
SHA25615d59e7770faf4e63f753b0550b2fb6ca1bc61b8983957f75f4fe95017419a89
SHA5123a78bc2a6a51bd496f630a34084eec1b65b54f7f8918bb72795b3fd4f444f0ec0e2198ed948d20aecdd6337224723dd7de957f7ecd24b91e300f6822f62b3b1f
-
Filesize
173KB
MD5596bbf9178af7c04b74c1670aacf28be
SHA17d35fbdf9af9208efecff4de3ee204952068ed13
SHA2564339a253d990172780bf4ec2f85c1011d3cfdbcbdc716b5bdb2daeb6951a48ff
SHA51281640c996f98553edf1fbc43d70ab23276eaec5234c1501242cf87589291e48cff077ddccf8cffc7133a837acdc9e47903925b72e0d9166d415161e83cd9ad14
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\professional\license.rtf
Filesize35KB
MD565e8e63aef9c960a0443663e975e1405
SHA1ef9171be189f8b159061173d4714105b26218259
SHA256fcaa79c2680c86f105198bc1a548d53b8d607d22dd6303bc8a9fbe4c2fcc050a
SHA512d454cf495705e161172999b9865c096d82738f5a1573a239b771baa749bbc8bbfba4addf15e8fe79cd0f5dcf28bc8ae327b1aaea41cf8c4898d73ebbfd6cf3d5
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimatee\license.rtf
Filesize28KB
MD574e875188b00c26467160ed445ab9275
SHA1750a1934b4c50e00d349c09585da00a1b634df8e
SHA2561c8b51240c6857a20ed38636f3d9874bd6327ee67ba407ad7b1060e759c140fe
SHA512de324fdbe4368e596c4e332617c19731d70ddf1f30a3f9c5f3d222ba91e5f9150ac588577032050813b3d9f0586be61f0afb0f37b0843e98ab2165d17eaf7184
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimaten\license.rtf
Filesize35KB
MD5834f827e9053a1ae9f6e66524df86f38
SHA1f4db0fbf518a754bf2bbcebd068fdff68f5bb65b
SHA256968c2489169480776dc73fc2fd883a33e1175441ddf32d4f2ca76600cea1fcb7
SHA51258b1826cb8ff111d86c7019e6bd13c0fd7fccf7fa6df1d99952a57412bdbbe05c8daa3f1aca2d8a96284cc5a396ffb293cfc7e1290d2cdc9de10ca1caca90f5a
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\oem\homebasice\license.rtf
Filesize28KB
MD5079264af13a27cd6081b1cfddc20276a
SHA1adc077c90d45103ec6c52d3a1fa92bd2ea705b8f
SHA25693d678e3d794f509ac49e35a69c2a4d9c3e6b26d8ee426d8ce7f1f7ac66a6741
SHA51246c6ccdcebbc389e9d1eb39d21eaa146f3f74493c975dfe3db5e07f5f310473b4cebec61f78e61602df3590c5cce23a8b44e2a543f03bd0047b979f1f1a315b8
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\_default\homepremiume\license.rtf
Filesize28KB
MD580a0236c2c68134f7e19517be20b9a74
SHA17f66201dfdfe1f5c7aefb712e068530114313fd7
SHA256f4d1928d7ef6dad5f94a9a565ea249a851bc0844d35a90dfd61a0e04ad1aee2f
SHA5124fc00bb923d682fcc3bc7f4faec590928e1e5c746d987eb4e7511f8901941a4043774b438f70d0d5bc92689f707869d7680636589f60770b908168e286f8b526
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homebasic\license.rtf
Filesize35KB
MD5ab46aa0b8c0d84a2775085a176ceada0
SHA1c73d6ba32f24d706c6c0accd19660aee92c188b6
SHA2562f66da6ddc9f069a90c9077db5044e382d602d77d4a359216effd5537eaa9daf
SHA5126ed95628ee38c172967566c454304aa8c50b4fc0539e6a0bf73f5d3297f70c92ee7efad86621adf77bb48e2a166113f89ae97d6799d73bbffb0a4ab531185e1b
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\startere\license.rtf
Filesize41KB
MD54d5516589c11af863cab6d4f1a3bfc5c
SHA1a977da12e4bd6b124581f57eed5dd5ef7301d5d6
SHA256620ec5c4710c393f3850b41437de0725b389b8680f2a892eff4efd50dc5d5e9b
SHA51219f217c20ca11ae423b6b8f66b07cf3144991b5848663b9750afff0a7d60a21af2af06b6e8e28069f205153f835c4819c85978b46e119f113962e74f92d53b9b
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc29d5bca5556a09\lipeula.rtf
Filesize9KB
MD5b46794b5982c685377b2248193f35475
SHA133b1cb42e52a00204604c5aaab7d0bdb7b11d7fc
SHA25663e7d99d6662ac0076bfa6b720e41dcd44b85fe688262462e8c352b1dca020f7
SHA51227f0d5f64aa2c421b11bb07b2f2cdc09c58910e76dea97d969f167600fd882ddb257b88bd7766f100d347bd624278644b36d0b64b649d3ccfa0aacf07ba36941
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a71deeabfc0d8da\license.rtf
Filesize40KB
MD55b8976c69623d888f071e13541ae5494
SHA1026039d907c7acb5437639b8bcb6a5f6c0a3b885
SHA256647f0d4719147bf02b8f0c0530a382723aad4d8064aab8a0630c0482c5fb4e59
SHA5124245262835c286ede383d96a35fc863d03a3449f42180c3e3b9cf1353b76c30f6df65a29742bdf3f9acf20fd0c904263aa6b239e7d9038efa84f2b84b2b61fa3
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_30cf7a89f238525a\license.rtf
Filesize43KB
MD570ac2a9e4717a6678aba05671d4cc73a
SHA120494578f03102a25cbe89da25bcf4f91305220c
SHA256a8d3fb1f5b4a15093b99699a0030a6c4ebb1b77e1a5dab135d6ed1ce84a7d00b
SHA51292b5415b26663a4d55e8e062a854091a092569d1f4915d51748cc62db240e220de7562653718ad07dc2e669e5e0823bc139fc5380a0b26a2a26dab6947da71c6
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16d3f6301ae8cff8\license.rtf
Filesize1KB
MD5f067b9a8de29ad7a54f316d84b67a18e
SHA1d255067074587d8a959c79ef338152dd6bb1804a
SHA2568a7cf48772b910afbe8f8c4f77084db52264c770a7ceab9ef5341a796f53b59c
SHA5123a23b00df374c6d7bb711027001541029932094c0c4d62dc2e072c1822b6ee48bd27cfb8ab437ff29b892f8eea8e706307bd7ba699fea986cda4fdc960d17fd2
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..rverhyper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b990ce545164c82b\license.rtf
Filesize62KB
MD5991442d7c36e4b2b7c4530800b651d9e
SHA1e63256bc13fa56b4ddd20653a0957994acc9c565
SHA256137a006641763981400ffc4044e350e612a6fa756b1c6f8b30f776283cdcc693
SHA512287cecb200159a07c96c251fd71d188ea3d92506462e8327907835bb99a1f04000b466a10598f08db305b784955d78aec56be39ad5fc70e32210676054d740c8
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1cda3731d74e249\license.rtf
Filesize1KB
MD5ffc8404c40bb2f2c5892ff42039b6474
SHA164119b28c305dfd74b699bd43c5c38dd00935e87
SHA256b1e7660aa42b973067beca1cc11e331a92a9d508a7adf8ac926d9a630065ff6c
SHA5120429f257b003da319d4da7cc335253e162bbe1ac8bc4f3172b57cc2e3cee19bb558f8b0bf32b97892d9cdc3a2aaf2010764d8c3d3473f6167a105e166d67cc3d
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18649662a3c65f12\license.rtf
Filesize1KB
MD57f0212275db33a670a71d4d5bc1a6e26
SHA1b90fdb3dba33f25640acd1f5447881ce2d637031
SHA2563a702deb48003eec3c6af25162f77910f523a8941b629ede829bd758f95b047b
SHA5123a1c5441d9bf80df8777d37e78d8f5ce32bb41e809057db19e6d2cf8e3f2218bb03887e2dbd1aa8964ac9ec1e6e8d7d1daa26115c06795ddb93606781e0b85bc
-
Filesize
328KB
MD52f69faa2bacccf5a61b7c7996c558f4c
SHA1172c3b8d22eb08f491d4c90cd86aaa21b95f5b95
SHA256ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585
SHA512712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578