blackmoon | 021ecdcecec2ea886d7bd93b13598babe21ba2748a1214ae77fa363aa255da84

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe
Size

3.2MB
MD5

9034895b2a5fafa6b858a3d159dbf9e1
SHA1

fca6d8946e8d7336d7630a136a69dd2f3b205bd1
SHA256

021ecdcecec2ea886d7bd93b13598babe21ba2748a1214ae77fa363aa255da84
SHA512

082a8c163bd5299aad9f536b1a0978c07cf442c14b1929d5474d19325027f87161b86c85b0648e8dbd433f8ccac7f8bd8e70e451bff8bcfc7e9076caa9cfeee0
SSDEEP

98304:r/UxwKnWwnn2sLYdkIEpP86AzY2rvzztevJG9vxZ/8:oNrnhLxIQPUY2w

Score

10^/10

blackmoon aspackv2 banker discovery evasion persistence privilege_escalation spyware stealer trojan upx vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-2-0x0000000000400000-0x0000000000A7E000-memory.dmp	family_blackmoon
behavioral1/memory/2112-8-0x0000000000400000-0x0000000000A7E000-memory.dmp	family_blackmoon
behavioral1/memory/2112-38-0x0000000002C30000-0x0000000003287000-memory.dmp	family_blackmoon
C:\Windows\ofojsn.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\f7721a4.tmp	family_blackmoon
C:\Windows\SysWOW64\logagen.dll	family_blackmoon
C:\Windows\SysWOW64\wsmprovhos.dll	family_blackmoon

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

AMe1kiV.exe

description	pid	process	target process
PID 2764 created 1200	2764	AMe1kiV.exe	Explorer.EXE
PID 2764 created 1200	2764	AMe1kiV.exe	Explorer.EXE
PID 2764 created 1200	2764	AMe1kiV.exe	Explorer.EXE

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AMe1kiV.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions AMe1kiV.exe
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

20 2648 wscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	AMe1kiV.exe

flow	pid	process
20	2648	wscript.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\up.exe	aspack_v212_v242

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 4 IoCs

Processes:

AMe1kiV.exerdhxft.exeofojsn.exeup.exe

pid process

2764 AMe1kiV.exe
2228 rdhxft.exe
3776 ofojsn.exe
2284 up.exe
Loads dropped DLL 4 IoCs

Processes:

9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exeofojsn.exelogagent.exewsmprovhost.exe

pid process

2112 9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe
3776 ofojsn.exe
3828 logagent.exe
3836 wsmprovhost.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 223.5.5.5
Destination IP 223.5.5.5
Destination IP 223.5.5.5
Destination IP 223.5.5.5
Destination IP 223.5.5.5

pid	process
2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe
3776	ofojsn.exe
3828	logagent.exe
3836	wsmprovhost.exe

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000000A7E000-memory.dmp	vmprotect
behavioral1/memory/2112-2-0x0000000000400000-0x0000000000A7E000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\AMe1kiV.exe	vmprotect
behavioral1/memory/2112-8-0x0000000000400000-0x0000000000A7E000-memory.dmp	vmprotect
behavioral1/memory/2764-11-0x0000000000160000-0x00000000007B7000-memory.dmp	vmprotect
behavioral1/memory/2764-12-0x0000000000160000-0x00000000007B7000-memory.dmp	vmprotect
behavioral1/memory/2764-41-0x0000000000160000-0x00000000007B7000-memory.dmp	vmprotect
behavioral1/memory/2764-583-0x0000000000160000-0x00000000007B7000-memory.dmp	vmprotect

Drops Chrome extension 1 IoCs

Processes:

AMe1kiV.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\inbcecgjdbejnldmncldflgcdchplnea\1.0.1_0\manifest.json	AMe1kiV.exe

Drops file in System32 directory 5 IoCs

Processes:

ofojsn.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TSThem.dll	ofojsn.exe
File created	C:\Windows\SysWOW64\logagen.dll	ofojsn.exe
File created	C:\Windows\SysWOW64\wsmprovhos.dll	ofojsn.exe
File created	C:\Windows\SysWOW64\upnpcon.dll	ofojsn.exe
File created	C:\Windows\SysWOW64\winrshos.dll	ofojsn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2764-571-0x0000000074370000-0x0000000074419000-memory.dmp	upx
behavioral1/memory/2764-577-0x0000000074370000-0x0000000074419000-memory.dmp	upx
behavioral1/memory/2764-584-0x0000000074370000-0x0000000074419000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

Processes:

AMe1kiV.exeofojsn.exeRegAsm.exe

description	ioc	process
File created	C:\Windows\vplcrj.dll	AMe1kiV.exe
File created	C:\Windows\up.exe	ofojsn.exe
File created	C:\Windows\SysCom.dll	AMe1kiV.exe
File created	C:\Windows\aluhhg.vbs	AMe1kiV.exe
File created	C:\Windows\SysCom.tlb	RegAsm.exe
File created	C:\Windows\rdhxft.exe	AMe1kiV.exe
File created	C:\Windows\ofojsn.exe	AMe1kiV.exe
File created	C:\Windows\jjlnux.dll	AMe1kiV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exeAMe1kiV.exelogagent.exewsmprovhost.exewinrshost.exetstheme.exerdhxft.exeofojsn.exeupnpcont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMe1kiV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logagent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmprovhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tstheme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdhxft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofojsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upnpcont.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

logagent.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	logagent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	logagent.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

logagent.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	logagent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	logagent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	logagent.exe

Modifies registry class 46 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\ = "AppCom"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\FLAGS\ = "0"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\Class = "AppCom.Entry"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\CodeBase = "file:///C:/Windows/SysCom.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\1.0.0.5	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\1.0.0.5\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\HELPDIR	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\ProxyStubClsid32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\TypeLib\ = "{BBCF7762-329B-4CB3-853B-9871423F4258}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppCom.Entry\CLSID\ = "{D93A04B0-6F7B-4402-A929-867C1B531D55}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\ = "AppCom.Entry"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\0\win64\ = "C:\\Windows\\SysCom.tlb"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\Assembly = "AppCom, Version=1.0.0.5, Culture=neutral, PublicKeyToken=4c1c1f9a1cfeee3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\1.0.0.5\Class = "AppCom.Entry"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\ProgId\ = "AppCom.Entry"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\TypeLib\Version = "1.0"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppCom.Entry\CLSID	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\FLAGS	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\ = "_Entry"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppCom.Entry	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\1.0.0.5\CodeBase = "file:///C:/Windows/SysCom.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\HELPDIR\ = "C:\\Windows"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\TypeLib	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\TypeLib	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\ProgId	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\TypeLib\ = "{BBCF7762-329B-4CB3-853B-9871423F4258}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppCom.Entry\ = "AppCom.Entry"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\InprocServer32\1.0.0.5\Assembly = "AppCom, Version=1.0.0.5, Culture=neutral, PublicKeyToken=4c1c1f9a1cfeee3a"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D93A04B0-6F7B-4402-A929-867C1B531D55}\Implemented Categories	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBCF7762-329B-4CB3-853B-9871423F4258}\1.0\0\win64	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\ProxyStubClsid32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\ = "_Entry"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{892D34BB-B365-40B9-A853-EDC2729855E8}\TypeLib\Version = "1.0"	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

AMe1kiV.exeofojsn.exelogagent.exewsmprovhost.exeup.exe

pid	process
2764	AMe1kiV.exe
2764	AMe1kiV.exe
2764	AMe1kiV.exe
2764	AMe1kiV.exe
2764	AMe1kiV.exe
2764	AMe1kiV.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
3828	logagent.exe
3828	logagent.exe
3776	ofojsn.exe
3776	ofojsn.exe
3836	wsmprovhost.exe
3836	wsmprovhost.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
3776	ofojsn.exe
2284	up.exe
2284	up.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

pid process

2112 9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

pid	process
2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

wscript.exerdhxft.exeofojsn.exe

description	pid	process
Token: SeDebugPrivilege	2648	wscript.exe
Token: SeDebugPrivilege	2228	rdhxft.exe
Token: SeTcbPrivilege	2228	rdhxft.exe
Token: SeDebugPrivilege	3776	ofojsn.exe
Token: SeDebugPrivilege	3776	ofojsn.exe
Token: SeDebugPrivilege	3776	ofojsn.exe
Token: SeDebugPrivilege	3776	ofojsn.exe
Token: SeDebugPrivilege	3776	ofojsn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

pid process

2112 9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

pid	process
2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exeAMe1kiV.exewscript.exeofojsn.exe

description	pid	process	target process
PID 2112 wrote to memory of 2764	2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe	AMe1kiV.exe
PID 2112 wrote to memory of 2764	2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe	AMe1kiV.exe
PID 2112 wrote to memory of 2764	2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe	AMe1kiV.exe
PID 2112 wrote to memory of 2764	2112	9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe	AMe1kiV.exe
PID 2764 wrote to memory of 2648	2764	AMe1kiV.exe	wscript.exe
PID 2764 wrote to memory of 2648	2764	AMe1kiV.exe	wscript.exe
PID 2764 wrote to memory of 2648	2764	AMe1kiV.exe	wscript.exe
PID 2764 wrote to memory of 2648	2764	AMe1kiV.exe	wscript.exe
PID 2648 wrote to memory of 2804	2648	wscript.exe	RegAsm.exe
PID 2648 wrote to memory of 2804	2648	wscript.exe	RegAsm.exe
PID 2648 wrote to memory of 2804	2648	wscript.exe	RegAsm.exe
PID 2764 wrote to memory of 2228	2764	AMe1kiV.exe	rdhxft.exe
PID 2764 wrote to memory of 2228	2764	AMe1kiV.exe	rdhxft.exe
PID 2764 wrote to memory of 2228	2764	AMe1kiV.exe	rdhxft.exe
PID 2764 wrote to memory of 2228	2764	AMe1kiV.exe	rdhxft.exe
PID 2764 wrote to memory of 3776	2764	AMe1kiV.exe	ofojsn.exe
PID 2764 wrote to memory of 3776	2764	AMe1kiV.exe	ofojsn.exe
PID 2764 wrote to memory of 3776	2764	AMe1kiV.exe	ofojsn.exe
PID 2764 wrote to memory of 3776	2764	AMe1kiV.exe	ofojsn.exe
PID 3776 wrote to memory of 3828	3776	ofojsn.exe	logagent.exe
PID 3776 wrote to memory of 3828	3776	ofojsn.exe	logagent.exe
PID 3776 wrote to memory of 3828	3776	ofojsn.exe	logagent.exe
PID 3776 wrote to memory of 3828	3776	ofojsn.exe	logagent.exe
PID 3776 wrote to memory of 3836	3776	ofojsn.exe	wsmprovhost.exe
PID 3776 wrote to memory of 3836	3776	ofojsn.exe	wsmprovhost.exe
PID 3776 wrote to memory of 3836	3776	ofojsn.exe	wsmprovhost.exe
PID 3776 wrote to memory of 3836	3776	ofojsn.exe	wsmprovhost.exe
PID 3776 wrote to memory of 3844	3776	ofojsn.exe	upnpcont.exe
PID 3776 wrote to memory of 3844	3776	ofojsn.exe	upnpcont.exe
PID 3776 wrote to memory of 3844	3776	ofojsn.exe	upnpcont.exe
PID 3776 wrote to memory of 3844	3776	ofojsn.exe	upnpcont.exe
PID 3776 wrote to memory of 3856	3776	ofojsn.exe	winrshost.exe
PID 3776 wrote to memory of 3856	3776	ofojsn.exe	winrshost.exe
PID 3776 wrote to memory of 3856	3776	ofojsn.exe	winrshost.exe
PID 3776 wrote to memory of 3856	3776	ofojsn.exe	winrshost.exe
PID 3776 wrote to memory of 3864	3776	ofojsn.exe	tstheme.exe
PID 3776 wrote to memory of 3864	3776	ofojsn.exe	tstheme.exe
PID 3776 wrote to memory of 3864	3776	ofojsn.exe	tstheme.exe
PID 3776 wrote to memory of 3864	3776	ofojsn.exe	tstheme.exe
PID 3776 wrote to memory of 3828	3776	ofojsn.exe	logagent.exe
PID 3776 wrote to memory of 3836	3776	ofojsn.exe	wsmprovhost.exe
PID 3776 wrote to memory of 3844	3776	ofojsn.exe	upnpcont.exe
PID 3776 wrote to memory of 3856	3776	ofojsn.exe	winrshost.exe
PID 3776 wrote to memory of 3864	3776	ofojsn.exe	tstheme.exe
PID 3776 wrote to memory of 2284	3776	ofojsn.exe	up.exe
PID 3776 wrote to memory of 2284	3776	ofojsn.exe	up.exe
PID 3776 wrote to memory of 2284	3776	ofojsn.exe	up.exe
PID 3776 wrote to memory of 2284	3776	ofojsn.exe	up.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\AMe1kiV.exe
    C:\Users\Admin\AppData\Local\Temp\AMe1kiV.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Drops Chrome extension
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2764
- C:\Windows\system32\wscript.exe
  C:\Windows\SysNative\wscript.exe C:\Windows\aluhhg.vbs
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" C:\Windows\SysCom.dll /tlb:C:\Windows\SysCom.tlb /codebase /nologo
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    PID:2804
- C:\Windows\rdhxft.exe
  C:\Windows\rdhxft.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\ofojsn.exe
  C:\Windows\ofojsn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\logagent.exe
    C:\Windows\SysWOW64\logagent.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3828
- - C:\Windows\SysWOW64\wsmprovhost.exe
    C:\Windows\SysWOW64\wsmprovhost.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3836
- - C:\Windows\SysWOW64\upnpcont.exe
    C:\Windows\SysWOW64\upnpcont.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- - C:\Windows\SysWOW64\winrshost.exe
    C:\Windows\SysWOW64\winrshost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
- - C:\Windows\SysWOW64\tstheme.exe
    C:\Windows\SysWOW64\tstheme.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
- - C:\Windows\up.exe
    C:\Windows\up.exe "C:\Windows\ofojsn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysCom.dll

Filesize
302KB

MD5
83ad33ba7a65f5ee02e2434dc829bf6b

SHA1
dba7a78fc49aad4e2679ff34f19aa3c0286271fa

SHA256
3f7a972cbf5b5e840b57fe308b69641dbca03928c14f9152af98e5dfd0136f80

SHA512
eae5ed69b3e91c34dd5521486f70c7c45e9615957f1b75ae160609abe1eea55e3880c79b08e8061b5a0e679c92ae99b40ceba178b43c3837004b9f6cedae9346

Download Submit
C:\Windows\SysWOW64\logagen.dll

Filesize
432KB

MD5
bc95c777ba06aca827702909605481ea

SHA1
81bd4685c8c627d51b6c95c7da5abcaa47dcfc12

SHA256
092828eb0aa169207a1a32e67f287be7a4a725ce9f828f117dd72b6474d075d5

SHA512
4a4a510c7e0c1c64044f150326ceb2f2fcd17a2685f0b7f16ac3427c87f2ac202732a430c3ea11e5f7f0bb5ef9c720ac6e514a44d82c4c515e78688f182553be

Download Submit
C:\Windows\SysWOW64\wsmprovhos.dll

Filesize
432KB

MD5
f18e699322e30c18def1026ff77de3a1

SHA1
5d7ffebb0e382c3c0da00112dbe30cdee7ef6792

SHA256
b5768f3134f7cb782950cb982e163ffe33852a8412b5fb110574edb19d51ad92

SHA512
8aa59aee1ab24fd634b3ff7fc9d1b9e52a6a98ea4386005379515af7af8be4794e827e076ee9c7232f5fdaed101e2c01b797bb94b8cf5f24bc3ad1200cc6d026

Download Submit
C:\Windows\aluhhg.vbs

Filesize
378B

MD5
0cefb8b86a39030e804fcf6d8a878fd7

SHA1
4c9c639bef4115e96c586b7f689f2dfbb6bccaf0

SHA256
383e8a0a61de6287075ddbb57d8bd85907dc9745b96290a3866e7d4495952f5b

SHA512
ecc972caa3acbb36f955579f5f35617187be4aacd6ff748d504cc66ef518594dea129b20fdc7872de971837cfe5bd41904a4ebdc0f59c05fdcfe3603db3100ac

Download Submit
C:\Windows\ofojsn.exe

Filesize
488KB

MD5
c4c9e1b7bbf37cbc5e706570ec7a2930

SHA1
02eb098b1379dd1da459de12ec998e95efcaba2f

SHA256
aa4cf4c83501a5854fb30ba3c5df705c9972f3daf2e32bc001e445af2939f9a4

SHA512
db2480cb06e4b73c602b46c95e176e97b1211afdc12cbd22321aa5e75d9171e2a5b9916b7117095b88ea4dff0b14f199b074c5165dd5ec213dd11c2b76080bc8

Download Submit
C:\Windows\rdhxft.exe

Filesize
404KB

MD5
2f345d7c69fe45c000a24966246891ae

SHA1
e2649d6a91ac0518122635235e25cb0e27fba3c7

SHA256
c3048accfb543e162bbe9aecb9fb8403af1a968cc46bfe1f79f771cb88e49f5e

SHA512
7e58702cfded9f97d2996250d51728116ab1c9a308f49e3c88900ca1a4658fab86971c91746b49e555ca2cf6a7d01effb22b923c6a04a6572983907344a18907

Download Submit
C:\Windows\up.exe

Filesize
17KB

MD5
b166ebc233ce5476532a61e86ef1bcbb

SHA1
5aaf3f8484628f21aa1d1432212648bf49a4e8fa

SHA256
4012ff4bbca655fd82b569e207d253f5aa035d9db13fe5518a5d4ce119ef4663

SHA512
d2e347a06cfa7cb9a59e3f7ad0959844b4a2c3665cc79cbc217a34dc7b45abb0e89bb77a7c7f9070069ebe9be342860f0e6a92cbae0dee7ba53aad144fac40a5

Download Submit
\Users\Admin\AppData\Local\Temp\AMe1kiV.exe

Filesize
3.0MB

MD5
e94755ee3c0ec04a6ee01000697b441e

SHA1
4bf4484a35000188a44af41093d11b60d64000b7

SHA256
0ad87e17cea59e3852731aab5b83c05032b2f32c99a1c9eabff0f299c4b9368c

SHA512
2423ee75781768397c0a096d05f2f053ad7fc2869f3c0b86fb71bbd74fa03a6ebd255d9e8b3bb65f7b71882da4843e3c454498c05ab372e86d1ed974fa19f85c

Download Submit
\Users\Admin\AppData\Local\Temp\f7721a4.tmp

Filesize
432KB

MD5
37784d3b6eb8e527d69b03e6c531d0d7

SHA1
09d7d2de3e7fd0696bf3c3902fad3cf63c3fe9ec

SHA256
453615d394dc7fd5a7ad5f78581529714ee1d11c31f10df3577cf0447cb8da1a

SHA512
14a6a0aba698d0fff62554b3300699ed1264034cba16deff808129e049e9644a2a9b50d78de0e12e66cf3cbb52de247cb5ae9948ecbd27155b66b45e8c46ebf2

Download Submit
memory/2112-38-0x0000000002C30000-0x0000000003287000-memory.dmp

Filesize
6.3MB

Download
memory/2112-10-0x0000000002C30000-0x0000000003287000-memory.dmp

Filesize
6.3MB

Download
memory/2112-8-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2112-0-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2112-2-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2228-635-0x0000000000190000-0x0000000000246000-memory.dmp

Filesize
728KB

Download
memory/2228-39-0x0000000000190000-0x0000000000246000-memory.dmp

Filesize
728KB

Download
memory/2284-631-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2284-629-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2648-66-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-74-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-56-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-43-0x0000000002680000-0x00000000026CC000-memory.dmp

Filesize
304KB

Download
memory/2648-44-0x0000000003A70000-0x0000000003ABC000-memory.dmp

Filesize
304KB

Download
memory/2648-45-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-46-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-48-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-50-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-52-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-62-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-80-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-54-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-58-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-94-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-92-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-90-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-88-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-86-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-84-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-82-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-78-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-76-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-60-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-72-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-70-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-68-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2648-32-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/2648-64-0x0000000003A70000-0x0000000003AB6000-memory.dmp

Filesize
280KB

Download
memory/2764-21-0x0000000010000000-0x00000000100AF000-memory.dmp

Filesize
700KB

Download
memory/2764-577-0x0000000074370000-0x0000000074419000-memory.dmp

Filesize
676KB

Download
memory/2764-41-0x0000000000160000-0x00000000007B7000-memory.dmp

Filesize
6.3MB

Download
memory/2764-11-0x0000000000160000-0x00000000007B7000-memory.dmp

Filesize
6.3MB

Download
memory/2764-584-0x0000000074370000-0x0000000074419000-memory.dmp

Filesize
676KB

Download
memory/2764-571-0x0000000074370000-0x0000000074419000-memory.dmp

Filesize
676KB

Download
memory/2764-541-0x0000000010000000-0x00000000100AF000-memory.dmp

Filesize
700KB

Download
memory/2764-583-0x0000000000160000-0x00000000007B7000-memory.dmp

Filesize
6.3MB

Download
memory/2764-12-0x0000000000160000-0x00000000007B7000-memory.dmp

Filesize
6.3MB

Download
memory/2764-18-0x0000000010000000-0x00000000100AF000-memory.dmp

Filesize
700KB

Download
memory/2764-22-0x0000000010000000-0x00000000100AF000-memory.dmp

Filesize
700KB

Download
memory/2764-16-0x0000000010000000-0x00000000100AF000-memory.dmp

Filesize
700KB

Download
memory/2764-36-0x0000000003A90000-0x0000000003B46000-memory.dmp

Filesize
728KB

Download
memory/2804-28-0x000000013FD80000-0x000000013FD90000-memory.dmp

Filesize
64KB

Download
memory/2804-30-0x00000000022E0000-0x0000000002332000-memory.dmp

Filesize
328KB

Download
memory/3776-624-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download