teslacrypt | d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
Size

396KB
MD5

b774e9f49d4aa8a2a009d06a6cdb6f8a
SHA1

5eaf1e24c495634ecbf7c81b640d10de8a3399d2
SHA256

d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686
SHA512

b1cdb65dd44aefae7933944a824faac70b1fe68267e245a3a1181deda7b8cb9016e502550cd73974b3fd85756602193d4db8a23e9f3622d0ed5c59a780b1aecf
SSDEEP

6144:CT3WR0F1lDPR+bJnm/jtowhxZWVrfQwBcTMMG26uw6fyQ7Q:CT3MA+bJmy4ZKfQRMh6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+actia.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DC47193B5203DDE 2. http://kkd47eh4hdjshb5t.angortra.at/DC47193B5203DDE 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/DC47193B5203DDE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/DC47193B5203DDE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DC47193B5203DDE http://kkd47eh4hdjshb5t.angortra.at/DC47193B5203DDE http://ytrest84y5i456hghadefdsd.pontogrot.com/DC47193B5203DDE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/DC47193B5203DDE

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DC47193B5203DDE

http://kkd47eh4hdjshb5t.angortra.at/DC47193B5203DDE

http://ytrest84y5i456hghadefdsd.pontogrot.com/DC47193B5203DDE

http://xlowfznrg4wf7dli.ONION/DC47193B5203DDE

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (390) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+actia.html	ejstnsuicpyj.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ygjdrqauxpgr = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ejstnsuicpyj.exe\""	ejstnsuicpyj.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 2748 set thread context of 2772	2748	ejstnsuicpyj.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Uninstall Information\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Java\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\Recovery+actia.html	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\flyout.css	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\Recovery+actia.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Recovery+actia.txt	ejstnsuicpyj.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Recovery+actia.png	ejstnsuicpyj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ejstnsuicpyj.exe	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
File opened for modification	C:\Windows\ejstnsuicpyj.exe	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejstnsuicpyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejstnsuicpyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEB118C1-B07D-11EF-9D58-7EBFE1D0DDB4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e62dc45ff704c488879e75f00699a6100000000020000000000106600000001000020000000478afdb9f3996c5f66ba79e89d44933153866f4b2b3fdf25868be45f01b3d0d8000000000e80000000020000200000004c1385a0cf0cdf5198f6ddc0436025976c75b846c67fbcf6ec2390f92899de17200000009d5753e0c82ac8f5c46ae31456286817e29a303d45167c8a4ef4c464905f5892400000008a39e34958a0ca6bb9a32baeba6ae06ffca111814d791a10a3e940a26f3f2670ba2594041b729575eba122a284e97b0e383828d0b50a43e34a2a21035f379da4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e62dc45ff704c488879e75f00699a610000000002000000000010660000000100002000000039292fa2c586edc751fe9ac96b4cc4f0104f87a268a88568885632910dca1d47000000000e80000000020000200000006d3b86a6c7d75effe199a28056c2e2f51a05064d74fb3cff2b6db1e06ef0869390000000d4b55d0a065170ec740ec864e89435f5cc3c3fa12aad123ee6e3817d8c7fc495f57976400ed79381b84c0efea3288a124b6dbe8ce028cd4457c266df5d8f3736631afa21af7fe22143bfbc8e0b9db22f0cd3f7cbf9fa795c278fb7581bbff42479edc06873a3f880132b51ad12e212b20e80c5f48d33d1cafdd0d7528a88f7b8579eacb8858e1fdca2f4ebadffa9b2ff40000000228d96d9e8cf486cf511cf74229975e685790068e5e721966448d7179add85fde5755c4115de5959a9a7a7b89d6edcea11207374ddfc458babdb1c21c53112ec	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c842a38a44db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ejstnsuicpyj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ejstnsuicpyj.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2608	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe
2772	ejstnsuicpyj.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	ejstnsuicpyj.exe
Token: SeIncreaseQuotaPrivilege	1672	WMIC.exe
Token: SeSecurityPrivilege	1672	WMIC.exe
Token: SeTakeOwnershipPrivilege	1672	WMIC.exe
Token: SeLoadDriverPrivilege	1672	WMIC.exe
Token: SeSystemProfilePrivilege	1672	WMIC.exe
Token: SeSystemtimePrivilege	1672	WMIC.exe
Token: SeProfSingleProcessPrivilege	1672	WMIC.exe
Token: SeIncBasePriorityPrivilege	1672	WMIC.exe
Token: SeCreatePagefilePrivilege	1672	WMIC.exe
Token: SeBackupPrivilege	1672	WMIC.exe
Token: SeRestorePrivilege	1672	WMIC.exe
Token: SeShutdownPrivilege	1672	WMIC.exe
Token: SeDebugPrivilege	1672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1672	WMIC.exe
Token: SeRemoteShutdownPrivilege	1672	WMIC.exe
Token: SeUndockPrivilege	1672	WMIC.exe
Token: SeManageVolumePrivilege	1672	WMIC.exe
Token: 33	1672	WMIC.exe
Token: 34	1672	WMIC.exe
Token: 35	1672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	524	WMIC.exe
Token: SeSecurityPrivilege	524	WMIC.exe
Token: SeTakeOwnershipPrivilege	524	WMIC.exe
Token: SeLoadDriverPrivilege	524	WMIC.exe
Token: SeSystemProfilePrivilege	524	WMIC.exe
Token: SeSystemtimePrivilege	524	WMIC.exe
Token: SeProfSingleProcessPrivilege	524	WMIC.exe
Token: SeIncBasePriorityPrivilege	524	WMIC.exe
Token: SeCreatePagefilePrivilege	524	WMIC.exe
Token: SeBackupPrivilege	524	WMIC.exe
Token: SeRestorePrivilege	524	WMIC.exe
Token: SeShutdownPrivilege	524	WMIC.exe
Token: SeDebugPrivilege	524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	524	WMIC.exe
Token: SeRemoteShutdownPrivilege	524	WMIC.exe
Token: SeUndockPrivilege	524	WMIC.exe
Token: SeManageVolumePrivilege	524	WMIC.exe
Token: 33	524	WMIC.exe
Token: 34	524	WMIC.exe
Token: 35	524	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2636	iexplore.exe
2592	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2592	DllHost.exe
2592	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2304	1732	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2748	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2748	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2748	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2748	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2924	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2924	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2924	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2924	2304	b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe	33
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2748 wrote to memory of 2772	2748	ejstnsuicpyj.exe	35
PID 2772 wrote to memory of 1672	2772	ejstnsuicpyj.exe	36
PID 2772 wrote to memory of 1672	2772	ejstnsuicpyj.exe	36
PID 2772 wrote to memory of 1672	2772	ejstnsuicpyj.exe	36
PID 2772 wrote to memory of 1672	2772	ejstnsuicpyj.exe	36
PID 2772 wrote to memory of 2608	2772	ejstnsuicpyj.exe	41
PID 2772 wrote to memory of 2608	2772	ejstnsuicpyj.exe	41
PID 2772 wrote to memory of 2608	2772	ejstnsuicpyj.exe	41
PID 2772 wrote to memory of 2608	2772	ejstnsuicpyj.exe	41
PID 2772 wrote to memory of 2636	2772	ejstnsuicpyj.exe	42
PID 2772 wrote to memory of 2636	2772	ejstnsuicpyj.exe	42
PID 2772 wrote to memory of 2636	2772	ejstnsuicpyj.exe	42
PID 2772 wrote to memory of 2636	2772	ejstnsuicpyj.exe	42
PID 2636 wrote to memory of 1672	2636	iexplore.exe	45
PID 2636 wrote to memory of 1672	2636	iexplore.exe	45
PID 2636 wrote to memory of 1672	2636	iexplore.exe	45
PID 2636 wrote to memory of 1672	2636	iexplore.exe	45
PID 2772 wrote to memory of 524	2772	ejstnsuicpyj.exe	44
PID 2772 wrote to memory of 524	2772	ejstnsuicpyj.exe	44
PID 2772 wrote to memory of 524	2772	ejstnsuicpyj.exe	44
PID 2772 wrote to memory of 524	2772	ejstnsuicpyj.exe	44
PID 2772 wrote to memory of 1288	2772	ejstnsuicpyj.exe	48
PID 2772 wrote to memory of 1288	2772	ejstnsuicpyj.exe	48
PID 2772 wrote to memory of 1288	2772	ejstnsuicpyj.exe	48
PID 2772 wrote to memory of 1288	2772	ejstnsuicpyj.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ejstnsuicpyj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ejstnsuicpyj.exe

C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\ejstnsuicpyj.exe
    C:\Windows\ejstnsuicpyj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\ejstnsuicpyj.exe
      C:\Windows\ejstnsuicpyj.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2772
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2608
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1672
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EJSTNS~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B774E9~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2924

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+actia.html

Filesize
9KB

MD5
d5213b6476358732074d70825acf1cc0

SHA1
4f2b80fdaf1264bcabd6845d3a8a756e5a0813d6

SHA256
a88e4defa3c3489803aa29aa3692776ae5ad5ae57ef154cceed2f9db4499a3c3

SHA512
5ec47364e50f97fb26a1fcdcc7e302b65925cb88bf71de0427ff8c2664482f8dd2b5aec3766b16c973946fce49b599b88177ab1cd38d56b9520fbb7a711b9308

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+actia.png

Filesize
63KB

MD5
04be19f037eb724428d0db5e0dbe49c6

SHA1
3b404e5f4f49e7c8b4131e9445d790cb101781c0

SHA256
94bbfbd291ebe850f2d8657ea4e29143440d901080b0835f1f6378725421ca1a

SHA512
35670d278bcfa3082549b9d7a3fd82a5aa3c610ccd1bbcb65e0a74279ee0e92ed0454f4001e3d026c5a2864d0fd56b4f799bf829db3c714c5cb262d55e9bd829

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+actia.txt

Filesize
1KB

MD5
161d4a74e85a221ad163af596de28c30

SHA1
6f0c88a060545dbccc92eaca1d8b315e3c16c133

SHA256
98c40a534d7901b2b1d6f32af628a641c998000ea32f74025966563a25026392

SHA512
87ec9a2f9ddea59d7c4fea6584488337ba0f5346b2c88565bc9c626b79be46ed0230586690b4f63b1d4d2c3758b56cce802ddc5a3427160e848b16f641d9c121

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8dcd5d7f790adb57b11573a53e0c2c04

SHA1
f5c6806ef30a9ae30e0f4050ba0623a23f30f1a7

SHA256
46fea7529b79621519a7df246ac89f4576002c877e13904e957117ea1e576067

SHA512
98fc18e97e2cf125069a2c299fc6499a6d7effa2ecab7ef1ed8c16d7f74834eddfa80c9c0f1dd526d75e3ec384f73ad5ad605f1a99b9c1b2de5772676987068e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
e96468430b84020e82de4f42eedc2d25

SHA1
2cd93b50ad83735ed97f823afebbc788649df6b2

SHA256
abd7f00dfd463bdca4326a1b97b3ca53a4c1dc6085a598fc89df7a73ad4fd4cc

SHA512
3cb07da6956c42a6b6c3b2d99b07ec8ca44d815ecf83d4d4d960b429e86e4145f32d28eb94e84fd18913c3c574803ac49e6d15b373387b9d9e8779b484b18bd5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
3342df137f8280ac79a9c22371a5c948

SHA1
59b0c8f38649648a0e0b5aea00e31324eb45181d

SHA256
b393153102a38d9da2ec30522422224426614178b2c1b1dd0b825dd1120a687a

SHA512
913b6638a75ebeaab653af2f0f30d9a3593ad0652e1c910266b5f35c04d9ae363caa82e98233b50ccf78afbd92d2043816fb5976d43d19458b399d5113c8fbaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f9b5196bc6f06986037543fa9693ec4

SHA1
8087d88099d9d1cf0af108389bdea9affa0e6ccd

SHA256
a05dc778d44f26e4c3a4a6c40962151a0f35fc18c9d8b8029f233c76d4351689

SHA512
4c47bb3d9b1956f3b519a0ddb9247264cfc9a64bb52a0363d15d6973bc292661eacff3a5c0f3e8b9b4c05b55e6baf0b6ea681d8d383ec4d7f8eada6abd3bff29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
855278eb558cdcef0d5c4956b37cfe2d

SHA1
b1d512bbf6b8d04acdfbd92a272fb8dab04db6d2

SHA256
88dd5a2203435039939d7ee0d91a84b4e795e03a8e0fa8b0315a22cc1322654f

SHA512
ad7044fb70aefa4cc700cc4cc09b6d36e5e1d5cbe0207ed63fe4d38209c02fbe093c562489f5a562297892cd9975e7719bc57e63ea88367bec04e1f1ff347df5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e970843226750f806fadf9e79b7d2cd9

SHA1
4c0ca81355e07fd3d89fea40025133b91643d55e

SHA256
f4aaaa0fac91a8d1314a7c380943a90fc9a1d114d75107000eb11232c7d64a36

SHA512
07e563074169cebbdfe49b4de874c1413f11d1da70ae4ddcafe6a51061c2f7a132c69ee00668c51bf5848a1b1be47c5c6ed171a33ca370d75608ddc185649172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43388b95c4dfa9e2171cd38e1d2ec695

SHA1
db3d0554fcde90d2f86d16657e7dafaea71ba99e

SHA256
2bdd874130774ac3bc5764e0d2d1d6af4d40131a227538e3b9ffe2dec7caa3f6

SHA512
685bb1c50b09a9bcd0415bad51074459fd6ef80fe94bd09ce061739f4ea7fce2f077755e35a9157b1d7f1e27f857806a627e9974017073a1c5d5dde5e0e3b255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca4e83da3bbf3e2e02976a8fd283e07

SHA1
1d73a4cfa3452f25658e56713825ce93394998be

SHA256
a4a944d66e2448fa9ddad479935553bc749660ecb2cbc239552054abac4a8812

SHA512
f1864f5f8530ded52592add7e1a777b7627e9936c2a08cad8e911a91c10ec8fcc931364d63f2ddc9461944b3c752545f3e87d862dd7771c43129bc2f60cd5bc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97b6f20992c6bd6274c029ed6de8eed6

SHA1
083399fcc4288b1e8d7525f907025adce1aa8a96

SHA256
bdd7e3a25d2410086c1b6684494ee8df3da52436e1adffc1c45421973c9e7a69

SHA512
9b8e861508bc05aad715a058322877f75a924718764fe57ad988731e0d8b36b26722f37f57bf091ee7dcb126f9b986d2bb7db29d2536ec91f46d4db2dc1f22c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11e329b6e6a6bb5ef9dbaab78d72acb3

SHA1
1f646fcee765f0c341de052d5d79c458f53c6c31

SHA256
02a1deb6266db113903dfea690fb4170138c220dd15a51512e53810ef6b5330d

SHA512
75f8f8716db185436aa797b7292e8da8ee06357a54a6aa724deebeed2a782c0c206797eb1af2deb6ef8170d6df5e3a83b5bba8ea182dc9df3a5bd55d32deb068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63e2257493371d065f5483bbbf530d1c

SHA1
e6eac0035db036de00b3d47b4d37b048967a3803

SHA256
b9a812bf473271a52de180d9d61425013ed523ab24a4cd4cfbeae2dbf91c3aac

SHA512
1add32e26bfd308a59733724bcd1ddd4a5affdce81c7757907bf07be0b8acbce81f943ae43607098c746a4ebb8006c97bd45b628728a7c5842672faa614ea04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729cf80e2468a8da85024b61975815dd

SHA1
3448f24b4d02d5e5d8a76de9b504f2339be08ea0

SHA256
814d35e98a2d0302af6075e7c590d804aab4bdbd6eafb9205fec895aac797ebc

SHA512
49caf8ecb3c7d69dc8e72de0ae7675f20856b539ea8acd29e9e409a593c8f278e7e2b10157f8c88d1119e01e95e3bbcd0636bc570365cde4fce8d8cb28ffe200

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33A0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33A1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ejstnsuicpyj.exe

Filesize
396KB

MD5
b774e9f49d4aa8a2a009d06a6cdb6f8a

SHA1
5eaf1e24c495634ecbf7c81b640d10de8a3399d2

SHA256
d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686

SHA512
b1cdb65dd44aefae7933944a824faac70b1fe68267e245a3a1181deda7b8cb9016e502550cd73974b3fd85756602193d4db8a23e9f3622d0ed5c59a780b1aecf

Download Submit
memory/1732-0-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/1732-19-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/1732-1-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/2304-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2304-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2304-28-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2592-5999-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2748-30-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download
memory/2772-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-4434-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-6025-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-6028-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-6001-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-5998-0x0000000003C00000-0x0000000003C02000-memory.dmp

Filesize
8KB

Download
memory/2772-5992-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-6002-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-1588-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-1583-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-1584-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2772-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download