Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe
-
Size
18.2MB
-
MD5
d040bc332f74f04a82d3b134bbac0a16
-
SHA1
653b45b590c4b380e73d86d9d120e9b63162129c
-
SHA256
8ed08dcd0d0a6e59a09d9d02c93a5c4e1809793c7a10e2081054a822aa1eca1b
-
SHA512
cccd6130aa98800c444ebf5e6c22f6a2fc2ffa7a7fc1a01db3555bd3bd4d33ca687672615feb1f983c3f426184549c13895085aaca2b3e7eab033db062686043
-
SSDEEP
196608:LbHxeKYWO1twwgSMPbwBenZ6JyjgzR0reo2TOeI7KYWO1twwgSMPbwBenZ6JyjgC:LblOjwwvMEoZoljO4OjwwvMEoZoljOr
Malware Config
Signatures
-
Detect XtremeRAT payload 11 IoCs
resource yara_rule behavioral1/memory/2592-14-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-17-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-21-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-13-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-23-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-22-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-20-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-16-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-15-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2652-33-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat behavioral1/memory/2592-62-0x0000000000C80000-0x0000000001558000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 32 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe -
Checks BIOS information in registry 2 TTPs 32 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server.exe -
Executes dropped EXE 47 IoCs
pid Process 2672 311wswsetup.exe 2564 311wswsetup.tmp 2984 Server.exe 1256 Server.exe 572 Server.exe 2476 Server.exe 548 Server.exe 1080 Server.exe 2236 Server.exe 1872 Server.exe 1948 Server.exe 1356 Server.exe 2268 Server.exe 1928 Server.exe 868 Server.exe 1628 Server.exe 2444 Server.exe 2880 Server.exe 2692 Server.exe 1664 Server.exe 1340 Server.exe 1932 Server.exe 1192 Server.exe 2040 Server.exe 2248 Server.exe 2484 Server.exe 1724 Server.exe 1096 Server.exe 1516 Server.exe 1048 Server.exe 1356 Server.exe 2728 Server.exe 1984 Server.exe 2368 Server.exe 1500 Server.exe 572 Server.exe 2340 Server.exe 1208 Server.exe 1832 Server.exe 1332 Server.exe 916 Server.exe 2268 Server.exe 2924 Server.exe 2884 Server.exe 1812 Server.exe 2368 Server.exe 1960 Server.exe -
Loads dropped DLL 17 IoCs
pid Process 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 2672 311wswsetup.exe 2564 311wswsetup.tmp 2564 311wswsetup.tmp 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 2984 Server.exe 2652 svchost.exe 2652 svchost.exe 572 Server.exe 572 Server.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe -
Adds Run key to start application 2 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe -
Drops file in System32 directory 43 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\311wswsetup.exe d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\311wswsetup.exe.exe d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2272 set thread context of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 1256 set thread context of 572 1256 Server.exe 43 PID 548 set thread context of 1872 548 Server.exe 55 PID 2236 set thread context of 1948 2236 Server.exe 58 PID 2268 set thread context of 868 2268 Server.exe 75 PID 1628 set thread context of 2880 1628 Server.exe 80 PID 2692 set thread context of 1664 2692 Server.exe 85 PID 1932 set thread context of 2248 1932 Server.exe 107 PID 2040 set thread context of 1096 2040 Server.exe 114 PID 1724 set thread context of 1516 1724 Server.exe 118 PID 1356 set thread context of 2728 1356 Server.exe 124 PID 2368 set thread context of 2340 2368 Server.exe 149 PID 572 set thread context of 1208 572 Server.exe 151 PID 1332 set thread context of 2924 1332 Server.exe 163 PID 2268 set thread context of 2884 2268 Server.exe 165 PID 2368 set thread context of 1960 2368 Server.exe 172 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 311wswsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 311wswsetup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c20e0dc7205b2d28b69ee98b64d0c3f4cb3dbcd Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0" Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649} Server.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: 33 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe Token: 33 1256 Server.exe Token: SeIncBasePriorityPrivilege 1256 Server.exe Token: 33 548 Server.exe Token: SeIncBasePriorityPrivilege 548 Server.exe Token: 33 2236 Server.exe Token: SeIncBasePriorityPrivilege 2236 Server.exe Token: 33 2268 Server.exe Token: SeIncBasePriorityPrivilege 2268 Server.exe Token: 33 1628 Server.exe Token: SeIncBasePriorityPrivilege 1628 Server.exe Token: 33 2692 Server.exe Token: SeIncBasePriorityPrivilege 2692 Server.exe Token: 33 1932 Server.exe Token: SeIncBasePriorityPrivilege 1932 Server.exe Token: 33 2040 Server.exe Token: SeIncBasePriorityPrivilege 2040 Server.exe Token: 33 1724 Server.exe Token: SeIncBasePriorityPrivilege 1724 Server.exe Token: 33 1356 Server.exe Token: SeIncBasePriorityPrivilege 1356 Server.exe Token: 33 2368 Server.exe Token: SeIncBasePriorityPrivilege 2368 Server.exe Token: 33 572 Server.exe Token: SeIncBasePriorityPrivilege 572 Server.exe Token: 33 1332 Server.exe Token: SeIncBasePriorityPrivilege 1332 Server.exe Token: 33 2268 Server.exe Token: SeIncBasePriorityPrivilege 2268 Server.exe Token: 33 2368 Server.exe Token: SeIncBasePriorityPrivilege 2368 Server.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 1256 Server.exe 548 Server.exe 2236 Server.exe 2268 Server.exe 1628 Server.exe 2692 Server.exe 1932 Server.exe 2040 Server.exe 1724 Server.exe 1356 Server.exe 2368 Server.exe 572 Server.exe 1332 Server.exe 2268 Server.exe 2368 Server.exe 2924 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 1860 wrote to memory of 2272 1860 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 28 PID 2272 wrote to memory of 2592 2272 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 29 PID 2592 wrote to memory of 2652 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2652 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2652 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2652 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2652 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2508 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2508 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2508 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2508 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2508 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 31 PID 2592 wrote to memory of 2660 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 32 PID 2592 wrote to memory of 2660 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 32 PID 2592 wrote to memory of 2660 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 32 PID 2592 wrote to memory of 2660 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 32 PID 2592 wrote to memory of 2660 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 32 PID 2592 wrote to memory of 2708 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2708 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2708 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2708 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2708 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 33 PID 2592 wrote to memory of 2112 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2112 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 34 PID 2592 wrote to memory of 2112 2592 d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe"2⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\d040bc332f74f04a82d3b134bbac0a16_JaffaCakes118.exe
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:548 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2428
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2260
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"9⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2916
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"12⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2256
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"15⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:868 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1804
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"9⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1720
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"12⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1332 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1932 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2468
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2096
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1740
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"9⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:572 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2548
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2292
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1708
-
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2848
-
-
C:\Windows\SysWOW64\311wswsetup.exe"C:\Windows\system32\311wswsetup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\is-9J3LG.tmp\311wswsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9J3LG.tmp\311wswsetup.tmp" /SL5="$701B2,8907165,54272,C:\Windows\SysWOW64\311wswsetup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Windows\SysWOW64\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:572 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2860
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1128
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2400
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2236 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1088
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:944
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1588
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"11⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2692 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2084
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"14⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:1936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:1072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2996
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:1080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:1320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:1796
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"17⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD52b77417d90a79b2923dfea63db65abcf
SHA18d53045f6c294cc04e73f1274301e5b8ec30718b
SHA256c711034f0ebb9d49b55a2583fa7733b6b7eae2ffb15358bf3e84c3ead1d37f75
SHA512d939bf7d882359bcb33ab630827e0bf42471e8adf931daa6d41c15fe4cf3aa359e2f8c8f972a767a22025d8e738e0a6c045ccf4e2094c0b2ae2ed1a2eb60f85a
-
Filesize
1KB
MD51b94552d6fd0ff449878a92d76ccbe8c
SHA11bc8edde3bc928e4d37f90549748fddff7412f85
SHA256b76dc6914f59ba6efa0c76e17acda849f5d544313aee96c992d9ad6e620f7a7c
SHA512c9a794c6ea98d93d32c12a8c029af2c24001e845a42abd282ff03c8a40abf38a6840b0a5317510ed3ab16f6151d6ce1d741ba9323d1cf6d0b9fb08f59752df13
-
Filesize
18.2MB
MD5d040bc332f74f04a82d3b134bbac0a16
SHA1653b45b590c4b380e73d86d9d120e9b63162129c
SHA2568ed08dcd0d0a6e59a09d9d02c93a5c4e1809793c7a10e2081054a822aa1eca1b
SHA512cccd6130aa98800c444ebf5e6c22f6a2fc2ffa7a7fc1a01db3555bd3bd4d33ca687672615feb1f983c3f426184549c13895085aaca2b3e7eab033db062686043
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
693KB
MD56e8d9dd74363f29ede089ecf3b989c59
SHA1673c56c355b99234536144168c0fa37e3fda8e1c
SHA25623b00b7d72a83adaaac640aeb82998294588ee2900b4d681c92ddbca6d255fed
SHA5124e202a7e2c0fc651c89a30b11b048eccc43f3a4ce68ef9445bff80806d37e6057a374f6f9f736fe273cc2222dc9fb39f6bac0e7a8e97c9d9af2b8078bbaf8921
-
Filesize
8.8MB
MD5a3315b8ca14debcfa93fcf18e6659e7b
SHA1f69ed209726bd5e503d787a963e78edee07cb18f
SHA256352398398e50cd12747b7b4a2457d1b9130d9f200f25921d19f04705a273490a
SHA5127b052189756056b27131bf8a32492658220f78c697bf6ee08b3b18ea39a5894d67990de84e14266888650635262442d78458556b554eba45418a5d985cca1590