modiloader | b23ef3c239b2296e7cf083b738a6fb7ad32c7125cccbf9c1b4b38bcb5ddad516

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
Size

2.0MB
MD5

ccd36a7a88b817167d87e8c321597f4e
SHA1

a9cfeac34629b89cc1bd484ffa71e85141f54c4e
SHA256

b23ef3c239b2296e7cf083b738a6fb7ad32c7125cccbf9c1b4b38bcb5ddad516
SHA512

e176044f65c9288e008b3f8c0a1546b2c108b2be133209c84f1d402bb21db4793f5ed762a570ad16eadb2c99a7a8b7270487a46b5b7f793e0020946f1567bb49
SSDEEP

49152:EhNDQ14n+tTb52LVucsFaBgv4TV6JzMsJIz2Ee08O3kp:yDQ14+52huX+oMbz33u

Score

10^/10

modiloader bootkit discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit,\"C:\\Program Files\\Windows Media Player\\0\\e\\e\\3\\7\\c\\c\\5\\a\\d\\e\\1\\1\\9\\e\\3\\b\\3\\c\\8\\c\\0\\2\\1\\a\\2\\f\\1\\6\\8\\b\\4\\autorun.inf\\svchost.exe¡¡\""	trads.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit,\"C:\\Program Files\\Windows Media Player\\0\\e\\e\\3\\7\\c\\c\\5\\a\\d\\e\\1\\1\\9\\e\\3\\b\\3\\c\\8\\c\\0\\2\\1\\a\\2\\f\\1\\6\\8\\b\\4\\autorun.inf\\svchost.exe¡¡\""	svchost.exe¡¡

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe¡¡

Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/1528-0-0x0000000000400000-0x0000000000582000-memory.dmp	modiloader_stage2
behavioral1/files/0x0006000000019429-12.dat	modiloader_stage2
behavioral1/memory/2316-44-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/1528-153-0x0000000000400000-0x0000000000582000-memory.dmp	modiloader_stage2
behavioral1/memory/1528-154-0x0000000002250000-0x00000000022C3000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2316	tradd.exe
2128	trads.exe
2984	svchost.exe¡¡

Loads dropped DLL 17 IoCs

pid	Process
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
2128	trads.exe
2128	trads.exe
2128	trads.exe
2128	trads.exe
2984	svchost.exe¡¡
2984	svchost.exe¡¡
2984	svchost.exe¡¡
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\autorun.inf\desktop.ini	trads.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	trads.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe¡¡

Drops autorun.inf file 1 TTPs 35 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Program Files\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf	trads.exe
File opened for modification	C:\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf	trads.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf\desktop.ini	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf\ÎÄ¼þÃâÒß	trads.exe
File created	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf\desktop.ini	trads.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf\ÎÄ¼þÃâÒß..\	trads.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	2984	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tradd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe¡¡
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2636	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe¡¡	trads.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe¡¡\ = "exefile"	trads.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe
Token: SeDebugPrivilege	2128	trads.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
2128	trads.exe
2128	trads.exe
2128	trads.exe
2128	trads.exe
2128	trads.exe
2128	trads.exe
2984	svchost.exe¡¡
2984	svchost.exe¡¡
2984	svchost.exe¡¡
2984	svchost.exe¡¡
2984	svchost.exe¡¡
2984	svchost.exe¡¡

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2316	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2316	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2316	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2316	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2128	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	31
PID 1528 wrote to memory of 2128	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	31
PID 1528 wrote to memory of 2128	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	31
PID 1528 wrote to memory of 2128	1528	ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2452	2128	trads.exe	32
PID 2128 wrote to memory of 2452	2128	trads.exe	32
PID 2128 wrote to memory of 2452	2128	trads.exe	32
PID 2128 wrote to memory of 2452	2128	trads.exe	32
PID 2452 wrote to memory of 2636	2452	cmd.exe	34
PID 2452 wrote to memory of 2636	2452	cmd.exe	34
PID 2452 wrote to memory of 2636	2452	cmd.exe	34
PID 2452 wrote to memory of 2636	2452	cmd.exe	34
PID 2128 wrote to memory of 316	2128	trads.exe	36
PID 2128 wrote to memory of 316	2128	trads.exe	36
PID 2128 wrote to memory of 316	2128	trads.exe	36
PID 2128 wrote to memory of 316	2128	trads.exe	36
PID 2128 wrote to memory of 2984	2128	trads.exe	38
PID 2128 wrote to memory of 2984	2128	trads.exe	38
PID 2128 wrote to memory of 2984	2128	trads.exe	38
PID 2128 wrote to memory of 2984	2128	trads.exe	38
PID 316 wrote to memory of 2952	316	cmd.exe	39
PID 316 wrote to memory of 2952	316	cmd.exe	39
PID 316 wrote to memory of 2952	316	cmd.exe	39
PID 316 wrote to memory of 2952	316	cmd.exe	39
PID 2984 wrote to memory of 2336	2984	svchost.exe¡¡	40
PID 2984 wrote to memory of 2336	2984	svchost.exe¡¡	40
PID 2984 wrote to memory of 2336	2984	svchost.exe¡¡	40
PID 2984 wrote to memory of 2336	2984	svchost.exe¡¡	40

C:\Users\Admin\AppData\Local\Temp\ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\temp\tradd.exe
  "C:\temp\tradd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\temp\trads.exe
  "C:\temp\trads.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Writes to the Master Boot Record (MBR)
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\temp\CQ.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im qq.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\temp\temp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Media Player\0" /d everyone /e
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
    "C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡" pid 2128"C:\temp\trads.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\autorun.inf\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
332KB

MD5
3102c454a9543e58fe3ad5f783f5a690

SHA1
dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

SHA256
039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

SHA512
5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
c1180974dd8a7c6d9f8fcc13096b4f7a

SHA1
9d50021334248bf0c752b3ed34deed48325da05c

SHA256
5b1ff0cabb2384f4b6385c1acce1d5e3a9d7b8e0403e2224cd1ab9722a599d3d

SHA512
c8b938bf172b9d2ccfaea34ff7cfddc9eaab8a9416a07e458bd34dfed2ea18de66d23dbaa9f15c2faf1009e00a8dfca3168ab41f02ef28e97c9197c3ca6943e9

Download Submit
C:\temp\CQ.bat

Filesize
30B

MD5
458d6a0f8398f6fa8bda7bb2ba5be353

SHA1
eec02a1cf5047cee3d4dee32ef13498c49a61154

SHA256
66142298d915314ddb48b417e96b48936e71a190d8f7cd8ae5a053cbe2746ddc

SHA512
c4fad6cafa4b17da18f5beceb65f91414c9fa0774c99caeadc87bc44f5faee6425208c78f6f111bec71b2e0cf58922c4bb62a0e3247b2af7699113a76c11c730

Download Submit
C:\temp\temp.bat

Filesize
72B

MD5
593ce3f439bb49aa3ef95af11b146c18

SHA1
1475674af547f66b3de40d5afde11fcb558a53eb

SHA256
886e68d9e6edb3b9ed472e9990fb9b0822c3be5e4cf6066af986edfac465546b

SHA512
76378b3017f75e0dbbf03a8bedf12b5b80c2d5da7a108ab7024acbbb7deac44ed16e054b53e86f9c8aef210f3a9cb3d1d39e43a698281b92149501c39d863349

Download Submit
C:\temp\trads.exe

Filesize
797KB

MD5
19fa81d3334da1f3c3c38c1be26fed09

SHA1
bf1c12c63d2ed15732b30a913f8b8c082f4375ae

SHA256
130a1b2020219f829779c0f7c337fe2735848fa77da0783fdcb59aed57bff0c5

SHA512
04efec623a7fae6061142c234b32e3c45b5dd3b23ccce4c5e57cf3c87c77dcb74f0d26bc92a0050dfbf9e6785e0924a1a740afc539d5712c95280117105ab7a0

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne

Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.0MB

MD5
4b30dbe1a79b2b7572ff637cb3765ced

SHA1
b08eba0e9bdb62d426db8d2b3d451152a56f79a1

SHA256
4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

SHA512
40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
60KB

MD5
97d57d2e349f2afbe6c40baa679f6281

SHA1
e9ee8998a6cc9cbc109da0cf741d8803a3762a82

SHA256
944fa12ee12b4c008f6ea52cfd6e4b7ce1719a419fb77a65fd0c432160ecc699

SHA512
fc3149e1b49680bbb8346769d8cc1c4cecb035636464686412cd0242d6eb52316b171f8b15fed218ebe7850c84a2d4a134dbdb3693c5c369863aabaed66b9d88

Download Submit
\temp\tradd.exe

Filesize
689KB

MD5
86ef1f02e5ee0ea2e2c01459ba99309e

SHA1
234d98c53b1c82453437e032d3a300603e89f46d

SHA256
f8e7cee187a8d0fbe85a4eda5d0a04094342b66fbf402cce3aaa8273850b454b

SHA512
3407fe92e568c3ce6c7ea50a03d4e1029c5a23d30eeab912abc2e1593be4d1f076597df1d90d5b442b2165e261512f0260d8cea9527a67178f6182705e008cce

Download Submit
memory/1528-23-0x0000000002250000-0x00000000022C3000-memory.dmp

Filesize
460KB

Download
memory/1528-155-0x0000000002250000-0x00000000022C3000-memory.dmp

Filesize
460KB

Download
memory/1528-154-0x0000000002250000-0x00000000022C3000-memory.dmp

Filesize
460KB

Download
memory/1528-24-0x0000000002250000-0x00000000022C3000-memory.dmp

Filesize
460KB

Download
memory/1528-0-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1528-153-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1528-9-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/2128-26-0x0000000000400000-0x000000000047223C-memory.dmp

Filesize
456KB

Download
memory/2128-132-0x0000000002330000-0x00000000023A3000-memory.dmp

Filesize
460KB

Download
memory/2128-134-0x0000000002330000-0x00000000023A3000-memory.dmp

Filesize
460KB

Download
memory/2128-145-0x0000000000400000-0x000000000047223C-memory.dmp

Filesize
456KB

Download
memory/2316-44-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2316-40-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2984-142-0x0000000001E80000-0x0000000001EE3000-memory.dmp

Filesize
396KB

Download
memory/2984-135-0x0000000000400000-0x000000000047223C-memory.dmp

Filesize
456KB

Download
memory/2984-156-0x0000000000400000-0x000000000047223C-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads