xtremerat | b6c180579747a886eabea186cf0dc2924a94fcaacba5fc2938e4099a9368cf6b

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
Size

252KB
MD5

44f2b176d49109d497dd2adbee8376bb
SHA1

e288dcf13a6faf8a02876340f8a4277fb6031256
SHA256

b6c180579747a886eabea186cf0dc2924a94fcaacba5fc2938e4099a9368cf6b
SHA512

f2a0bea897dc2fcab309a21d9ce2caff8da39fc9c21a2942cc98ad707a3320d4b64f7e670844b3a178fa2ebe6d4adcb203be4713531850c347b88a4eb3db4d87
SSDEEP

1536:YIgtZkCGTDGyG5ThFH/oGP+tfwQomF2uP:/zCGPGyihZ/oftYzmtP

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

service-update1.zapto.org

Signatures

Detect XtremeRAT payload 23 IoCs

resource	yara_rule
behavioral2/memory/1260-3-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/1260-2-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/1260-4-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/1260-5-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/464-10-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/2376-12-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/1260-13-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3600-20-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/4352-24-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/940-31-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/2824-35-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3456-46-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/5108-57-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/1020-68-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/4648-79-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/2784-90-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3464-101-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3612-112-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/2176-123-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/4840-134-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/436-145-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3728-156-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/876-167-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 58 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6SBXQGA0-C74C-5QW0-DU52-5GF36G82QBV4}\StubPath = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe restart"	Java 7.exe

Executes dropped EXE 54 IoCs

pid	Process
3336	Java 7.exe
3600	Java 7.exe
3444	Java 7.exe
940	Java 7.exe
1784	Java 7.exe
2680	Java 7.exe
2820	Java 7.exe
1456	Java 7.exe
4852	Java 7.exe
2836	Java 7.exe
1804	Java 7.exe
4600	Java 7.exe
3032	Java 7.exe
4508	Java 7.exe
224	Java 7.exe
2764	Java 7.exe
2508	Java 7.exe
4444	Java 7.exe
3484	Java 7.exe
8	Java 7.exe
444	Java 7.exe
4772	Java 7.exe
2776	Java 7.exe
4856	Java 7.exe
3252	Java 7.exe
4416	Java 7.exe
5048	Java 7.exe
2328	Java 7.exe
2256	Java 7.exe
852	Java 7.exe
640	Java 7.exe
4808	Java 7.exe
5112	Java 7.exe
768	Java 7.exe
2032	Java 7.exe
2512	Java 7.exe
2344	Java 7.exe
2044	Java 7.exe
4848	Java 7.exe
2024	Java 7.exe
4432	Java 7.exe
4120	Java 7.exe
708	Java 7.exe
1344	Java 7.exe
1956	Java 7.exe
1492	Java 7.exe
2784	Java 7.exe
1700	Java 7.exe
2764	Java 7.exe
2592	Java 7.exe
4912	Java 7.exe
4788	Java 7.exe
2776	Java 7.exe
1384	Java 7.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java 7.0\\Java 7.exe"	Java 7.exe

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 3336 set thread context of 3600	3336	Java 7.exe	97
PID 3444 set thread context of 940	3444	Java 7.exe	101
PID 1784 set thread context of 2680	1784	Java 7.exe	104
PID 2820 set thread context of 1456	2820	Java 7.exe	107
PID 4852 set thread context of 2836	4852	Java 7.exe	112
PID 1804 set thread context of 4600	1804	Java 7.exe	116
PID 3032 set thread context of 4508	3032	Java 7.exe	119
PID 224 set thread context of 2764	224	Java 7.exe	122
PID 2508 set thread context of 4444	2508	Java 7.exe	125
PID 3484 set thread context of 8	3484	Java 7.exe	128
PID 444 set thread context of 4772	444	Java 7.exe	131
PID 2776 set thread context of 4856	2776	Java 7.exe	135
PID 3252 set thread context of 4416	3252	Java 7.exe	138
PID 5048 set thread context of 2328	5048	Java 7.exe	141
PID 2256 set thread context of 852	2256	Java 7.exe	144
PID 640 set thread context of 4808	640	Java 7.exe	147
PID 5112 set thread context of 768	5112	Java 7.exe	150
PID 2032 set thread context of 2512	2032	Java 7.exe	155
PID 2344 set thread context of 2044	2344	Java 7.exe	164
PID 4848 set thread context of 2024	4848	Java 7.exe	167
PID 4432 set thread context of 4120	4432	Java 7.exe	170
PID 708 set thread context of 1344	708	Java 7.exe	173
PID 1956 set thread context of 1492	1956	Java 7.exe	176
PID 2784 set thread context of 1700	2784	Java 7.exe	179
PID 2764 set thread context of 2592	2764	Java 7.exe	182
PID 4912 set thread context of 4788	4912	Java 7.exe	188
PID 2776 set thread context of 1384	2776	Java 7.exe	191

Drops file in Program Files directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File created	C:\Program Files (x86)\Java 7.0\Java 7.exe	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\Java 7.exe	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe
File opened for modification	C:\Program Files (x86)\Java 7.0\	Java 7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java 7.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
3336	Java 7.exe
3444	Java 7.exe
1784	Java 7.exe
2820	Java 7.exe
4852	Java 7.exe
1804	Java 7.exe
3032	Java 7.exe
224	Java 7.exe
2508	Java 7.exe
3484	Java 7.exe
444	Java 7.exe
2776	Java 7.exe
3252	Java 7.exe
5048	Java 7.exe
2256	Java 7.exe
640	Java 7.exe
5112	Java 7.exe
2032	Java 7.exe
2344	Java 7.exe
4848	Java 7.exe
4432	Java 7.exe
708	Java 7.exe
1956	Java 7.exe
2784	Java 7.exe
2764	Java 7.exe
4912	Java 7.exe
2776	Java 7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 4800 wrote to memory of 1260	4800	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	84
PID 1260 wrote to memory of 464	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	87
PID 1260 wrote to memory of 464	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	87
PID 1260 wrote to memory of 464	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	87
PID 1260 wrote to memory of 464	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	87
PID 1260 wrote to memory of 2376	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	89
PID 1260 wrote to memory of 2376	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	89
PID 1260 wrote to memory of 2376	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	89
PID 1260 wrote to memory of 2376	1260	44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe	89
PID 464 wrote to memory of 3336	464	svchost.exe	96
PID 464 wrote to memory of 3336	464	svchost.exe	96
PID 464 wrote to memory of 3336	464	svchost.exe	96
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3336 wrote to memory of 3600	3336	Java 7.exe	97
PID 3600 wrote to memory of 4352	3600	Java 7.exe	98
PID 3600 wrote to memory of 4352	3600	Java 7.exe	98
PID 3600 wrote to memory of 4352	3600	Java 7.exe	98
PID 3600 wrote to memory of 4352	3600	Java 7.exe	98
PID 464 wrote to memory of 3444	464	svchost.exe	100
PID 464 wrote to memory of 3444	464	svchost.exe	100
PID 464 wrote to memory of 3444	464	svchost.exe	100
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 3444 wrote to memory of 940	3444	Java 7.exe	101
PID 940 wrote to memory of 2824	940	Java 7.exe	102
PID 940 wrote to memory of 2824	940	Java 7.exe	102
PID 940 wrote to memory of 2824	940	Java 7.exe	102
PID 940 wrote to memory of 2824	940	Java 7.exe	102
PID 464 wrote to memory of 1784	464	svchost.exe	103
PID 464 wrote to memory of 1784	464	svchost.exe	103
PID 464 wrote to memory of 1784	464	svchost.exe	103

C:\Users\Admin\AppData\Local\Temp\44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\44f2b176d49109d497dd2adbee8376bb_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:4352
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1784
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2680
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2820
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1456
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4852
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2836
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1804
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4600
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3032
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4508
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:224
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2764
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2508
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4444
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:3612
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3484
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:8
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:444
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4772
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2776
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4856
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:436
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3252
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4416
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5048
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:876
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2256
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:852
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:640
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4808
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5112
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:768
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:4412
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2032
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2512
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2344
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2044
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:3252
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4848
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2024
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4432
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4120
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:3536
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:708
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:5072
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1956
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1492
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:264
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2784
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1700
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:960
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2764
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:4368
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4912
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4788
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
  - - C:\Program Files (x86)\Java 7.0\Java 7.exe
      "C:\Program Files (x86)\Java 7.0\Java 7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2776
    - - C:\Program Files (x86)\Java 7.0\Java 7.exe
        
        "C:\Program Files (x86)\Java 7.0\Java 7.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1384
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java 7.0\Java 7.exe

Filesize
252KB

MD5
44f2b176d49109d497dd2adbee8376bb

SHA1
e288dcf13a6faf8a02876340f8a4277fb6031256

SHA256
b6c180579747a886eabea186cf0dc2924a94fcaacba5fc2938e4099a9368cf6b

SHA512
f2a0bea897dc2fcab309a21d9ce2caff8da39fc9c21a2942cc98ad707a3320d4b64f7e670844b3a178fa2ebe6d4adcb203be4713531850c347b88a4eb3db4d87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\S5PrnK+.cfg

Filesize
1KB

MD5
eb5df50513080ea0cd05ff39be310391

SHA1
d4bfa2e8ddb6c360f350c74c30f6f1ee13998ca0

SHA256
bd581febac93fe4e12a5633a9c702c34688f20241db05cd3853985c1ab6c2af7

SHA512
46b2af2ab7f386cae2a4bb1fc9ec138ae7c706805fd323fc8bd5e0954b31245165ef0fa85c0632a3adc32f63dabf32dba08cfa3c378eb348a6c2815d7a78f493

Download Submit
memory/436-145-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/464-10-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/876-167-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/940-31-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1020-68-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1260-5-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1260-13-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1260-4-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1260-2-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1260-3-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2176-123-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2376-12-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2784-90-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2824-35-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3456-46-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3464-101-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3600-20-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3612-112-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3728-156-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4352-24-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4648-79-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4840-134-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/5108-57-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads