sality | eb521d50384f45b31ad8fd002b48429febdee7c02866ab752631f27b42b0721e

Analysis

max time kernel
35s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2024, 11:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Size

376KB
MD5

eb34748365c13012b9ac9cc72f7239a9
SHA1

2b3950148a078a0973493f149eaaf43cc99dba52
SHA256

eb521d50384f45b31ad8fd002b48429febdee7c02866ab752631f27b42b0721e
SHA512

bffe9c7dc112645f9ab698ebd67364614b5f2206bb7092ab657e2966c784fefbc680d9e62f9a61b6480005e954694645da3f2ddf66c44c3630a8b41f6b85309e
SSDEEP

3072:AmKxZkvuz8WClBs3zTiFGns5X7z4hJgKVES3Esv:A9kDlyjTiysJEJTCS

Score

10^/10

sality backdoor discovery evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Qyyy jnsateb.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Qyyy jnsateb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Qyyy jnsateb.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Qyyy jnsateb.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Qyyy jnsateb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1664	Qyyy jnsateb.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	Qyyy jnsateb.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:"	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:"	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder"	Qyyy jnsateb.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Qyyy jnsateb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Qyyy jnsateb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\013225823.exe"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\013225823.exe"	Qyyy jnsateb.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Qyyy jnsateb.exe

Enumerates connected drives 3 TTPs 5 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Qyyy jnsateb.exe
File opened (read-only)	\??\G:	Qyyy jnsateb.exe
File opened (read-only)	\??\H:	Qyyy jnsateb.exe
File opened (read-only)	\??\I:	Qyyy jnsateb.exe
File opened (read-only)	\??\J:	Qyyy jnsateb.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/212-5-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-16-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-20-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-21-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-7-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-6-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-3-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-4-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-23-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-46-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-126-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/212-120-0x0000000002CB0000-0x0000000003D3E000-memory.dmp	upx
behavioral2/memory/1664-154-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-148-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-153-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-158-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-156-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-152-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-157-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-147-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-149-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-145-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-160-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-161-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-162-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-163-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-164-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-166-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-167-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-168-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-169-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-170-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-171-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-175-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-177-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-180-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-181-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-182-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-183-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-189-0x0000000003810000-0x000000000489E000-memory.dmp	upx
behavioral2/memory/1664-191-0x0000000003810000-0x000000000489E000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
File created	C:\Windows\Qyyy jnsateb.exe	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
File opened for modification	C:\Windows\Qyyy jnsateb.exe	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
File created	C:\Windows\013225823.exe	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
File opened for modification	C:\Windows\013225823.exe	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
File opened for modification	C:\Windows\Qyyy jnsateb.exe	Qyyy jnsateb.exe
File opened for modification	C:\Windows\013225823.exe	Qyyy jnsateb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qyyy jnsateb.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:"	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder"	Qyyy jnsateb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:"	Qyyy jnsateb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
1664	Qyyy jnsateb.exe
1664	Qyyy jnsateb.exe
1664	Qyyy jnsateb.exe
1664	Qyyy jnsateb.exe
1664	Qyyy jnsateb.exe
1664	Qyyy jnsateb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Token: SeDebugPrivilege	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
1664	Qyyy jnsateb.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 776	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	8
PID 212 wrote to memory of 780	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	9
PID 212 wrote to memory of 60	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	13
PID 212 wrote to memory of 2528	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	44
PID 212 wrote to memory of 2580	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	45
PID 212 wrote to memory of 2756	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	50
PID 212 wrote to memory of 3520	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	56
PID 212 wrote to memory of 3672	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	57
PID 212 wrote to memory of 3868	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	58
PID 212 wrote to memory of 3956	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	59
PID 212 wrote to memory of 4020	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	60
PID 212 wrote to memory of 408	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	61
PID 212 wrote to memory of 4128	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	62
PID 212 wrote to memory of 3796	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	74
PID 212 wrote to memory of 3732	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	76
PID 212 wrote to memory of 1664	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	83
PID 212 wrote to memory of 1664	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	83
PID 212 wrote to memory of 1664	212	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe	83
PID 1664 wrote to memory of 776	1664	Qyyy jnsateb.exe	8
PID 1664 wrote to memory of 780	1664	Qyyy jnsateb.exe	9
PID 1664 wrote to memory of 60	1664	Qyyy jnsateb.exe	13
PID 1664 wrote to memory of 2528	1664	Qyyy jnsateb.exe	44
PID 1664 wrote to memory of 2580	1664	Qyyy jnsateb.exe	45
PID 1664 wrote to memory of 2756	1664	Qyyy jnsateb.exe	50
PID 1664 wrote to memory of 3520	1664	Qyyy jnsateb.exe	56
PID 1664 wrote to memory of 3672	1664	Qyyy jnsateb.exe	57
PID 1664 wrote to memory of 3868	1664	Qyyy jnsateb.exe	58
PID 1664 wrote to memory of 3956	1664	Qyyy jnsateb.exe	59
PID 1664 wrote to memory of 4020	1664	Qyyy jnsateb.exe	60
PID 1664 wrote to memory of 408	1664	Qyyy jnsateb.exe	61
PID 1664 wrote to memory of 4128	1664	Qyyy jnsateb.exe	62
PID 1664 wrote to memory of 3796	1664	Qyyy jnsateb.exe	74
PID 1664 wrote to memory of 3732	1664	Qyyy jnsateb.exe	76
PID 1664 wrote to memory of 776	1664	Qyyy jnsateb.exe	8
PID 1664 wrote to memory of 780	1664	Qyyy jnsateb.exe	9
PID 1664 wrote to memory of 60	1664	Qyyy jnsateb.exe	13
PID 1664 wrote to memory of 2528	1664	Qyyy jnsateb.exe	44
PID 1664 wrote to memory of 2580	1664	Qyyy jnsateb.exe	45
PID 1664 wrote to memory of 2756	1664	Qyyy jnsateb.exe	50
PID 1664 wrote to memory of 3520	1664	Qyyy jnsateb.exe	56
PID 1664 wrote to memory of 3672	1664	Qyyy jnsateb.exe	57
PID 1664 wrote to memory of 3868	1664	Qyyy jnsateb.exe	58
PID 1664 wrote to memory of 3956	1664	Qyyy jnsateb.exe	59
PID 1664 wrote to memory of 4020	1664	Qyyy jnsateb.exe	60
PID 1664 wrote to memory of 408	1664	Qyyy jnsateb.exe	61
PID 1664 wrote to memory of 4128	1664	Qyyy jnsateb.exe	62
PID 1664 wrote to memory of 3796	1664	Qyyy jnsateb.exe	74
PID 1664 wrote to memory of 3732	1664	Qyyy jnsateb.exe	76
PID 1664 wrote to memory of 776	1664	Qyyy jnsateb.exe	8
PID 1664 wrote to memory of 780	1664	Qyyy jnsateb.exe	9
PID 1664 wrote to memory of 60	1664	Qyyy jnsateb.exe	13
PID 1664 wrote to memory of 2528	1664	Qyyy jnsateb.exe	44
PID 1664 wrote to memory of 2580	1664	Qyyy jnsateb.exe	45
PID 1664 wrote to memory of 2756	1664	Qyyy jnsateb.exe	50
PID 1664 wrote to memory of 3520	1664	Qyyy jnsateb.exe	56
PID 1664 wrote to memory of 3672	1664	Qyyy jnsateb.exe	57
PID 1664 wrote to memory of 3868	1664	Qyyy jnsateb.exe	58
PID 1664 wrote to memory of 3956	1664	Qyyy jnsateb.exe	59
PID 1664 wrote to memory of 4020	1664	Qyyy jnsateb.exe	60
PID 1664 wrote to memory of 408	1664	Qyyy jnsateb.exe	61
PID 1664 wrote to memory of 4128	1664	Qyyy jnsateb.exe	62
PID 1664 wrote to memory of 3796	1664	Qyyy jnsateb.exe	74
PID 1664 wrote to memory of 3732	1664	Qyyy jnsateb.exe	76

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Qyyy jnsateb.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2580

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:212
- - C:\Windows\Qyyy jnsateb.exe
    "C:\Windows\Qyyy jnsateb.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Deletes itself
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3732

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI

Filesize
257B

MD5
06623f378b7b0a67829b177be22b2885

SHA1
20260bf598ee2409c80706c02995f5e58529e4bc

SHA256
d3084e7903d5a0a1696d3969f35c737278adb96b69f21ed31d3f658cb2fc0467

SHA512
f3b49d2a14b0c4b03a1fc76f32fdec544b9e798b8b2c418c5dcf17580cf37c7194864a97fee8f5ae7199f8f10e3a6d9105236a162693c08e2c07b2dfc04d1932

Download Submit
F:\Ofxuuolre b.exe

Filesize
376KB

MD5
eb34748365c13012b9ac9cc72f7239a9

SHA1
2b3950148a078a0973493f149eaaf43cc99dba52

SHA256
eb521d50384f45b31ad8fd002b48429febdee7c02866ab752631f27b42b0721e

SHA512
bffe9c7dc112645f9ab698ebd67364614b5f2206bb7092ab657e2966c784fefbc680d9e62f9a61b6480005e954694645da3f2ddf66c44c3630a8b41f6b85309e

Download Submit
memory/212-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/212-5-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-16-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-18-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/212-19-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/212-22-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/212-20-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-21-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-7-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-6-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-3-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-4-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-17-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/212-23-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-46-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-131-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/212-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/212-126-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/212-120-0x0000000002CB0000-0x0000000003D3E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-154-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-148-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-153-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-158-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-156-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-159-0x0000000003690000-0x0000000003692000-memory.dmp

Filesize
8KB

Download
memory/1664-152-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-157-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-155-0x0000000003690000-0x0000000003692000-memory.dmp

Filesize
8KB

Download
memory/1664-147-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-151-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1664-149-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-145-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-160-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-161-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-162-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-163-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-164-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-166-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-167-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-168-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-169-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-170-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-171-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-173-0x0000000003690000-0x0000000003692000-memory.dmp

Filesize
8KB

Download
memory/1664-175-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-177-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-180-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-181-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-182-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-183-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-189-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-191-0x0000000003810000-0x000000000489E000-memory.dmp

Filesize
16.6MB

Download
memory/1664-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.