ardamax | c9c62892d9ee7f25320d942eaf747cf9b234693605fa85b2bcdcd0782622b4ed

Analysis

max time kernel
141s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe
Size

2.1MB
MD5

fa2d9d5d52a3cb9c7a4d4b8040400c2e
SHA1

e4fe7a57045939d4ecb6446a2b3a3f0fe41588f9
SHA256

c9c62892d9ee7f25320d942eaf747cf9b234693605fa85b2bcdcd0782622b4ed
SHA512

fae08e38ce66c4f8f1a5a7309d8355ff262103a21d01b4bbd1eaf8c5681cb1cb70c329ce846463026c80181807655b150864b973b2c4249ca194f5981af9ba4c
SSDEEP

49152:6UEfxItUBRC11qEvNHJcnzHwX21oe0yY/T8Zbvv:FyxkUBRUqENHJc7wXBRyi8dv

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000190e0-41.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1804	Install.exe
2080	FMAI.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe

Loads dropped DLL 10 IoCs

pid	Process
2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe
1804	Install.exe
1804	Install.exe
1804	Install.exe
1804	Install.exe
1804	Install.exe
2080	FMAI.exe
2080	FMAI.exe
2080	FMAI.exe
2080	FMAI.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x000000000069F000-memory.dmp	themida
behavioral1/memory/2400-6-0x0000000000400000-0x000000000069F000-memory.dmp	themida
behavioral1/memory/2400-8-0x0000000000400000-0x000000000069F000-memory.dmp	themida
behavioral1/memory/1804-42-0x0000000002940000-0x0000000002A1F000-memory.dmp	themida
behavioral1/memory/2400-23-0x0000000000400000-0x000000000069F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kill = "c:\\windows\\patch.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FMAI Agent = "C:\\Windows\\SysWOW64\\28463\\FMAI.exe"	FMAI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\FMAI.007	Install.exe
File created	C:\Windows\SysWOW64\28463\FMAI.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	FMAI.exe
File created	C:\Windows\SysWOW64\28463\FMAI.001	Install.exe
File created	C:\Windows\SysWOW64\28463\FMAI.006	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMAI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 63 IoCs

evasion

pid	Process
2664	taskkill.exe
2056	taskkill.exe
2036	taskkill.exe
2428	taskkill.exe
2164	taskkill.exe
1696	taskkill.exe
1624	taskkill.exe
2460	taskkill.exe
1148	taskkill.exe
2172	taskkill.exe
2200	taskkill.exe
2016	taskkill.exe
1572	taskkill.exe
2568	taskkill.exe
2628	taskkill.exe
1120	taskkill.exe
2964	taskkill.exe
2724	taskkill.exe
2900	taskkill.exe
2100	taskkill.exe
2512	taskkill.exe
2696	taskkill.exe
1072	taskkill.exe
2500	taskkill.exe
1900	taskkill.exe
2504	taskkill.exe
1216	taskkill.exe
2604	taskkill.exe
408	taskkill.exe
1620	taskkill.exe
2128	taskkill.exe
2816	taskkill.exe
2764	taskkill.exe
2864	taskkill.exe
2608	taskkill.exe
396	taskkill.exe
2940	taskkill.exe
2716	taskkill.exe
896	taskkill.exe
2748	taskkill.exe
536	taskkill.exe
1436	taskkill.exe
2892	taskkill.exe
2392	taskkill.exe
1860	taskkill.exe
644	taskkill.exe
2700	taskkill.exe
2704	taskkill.exe
2108	taskkill.exe
2528	taskkill.exe
1312	taskkill.exe
2236	taskkill.exe
2068	taskkill.exe
1780	taskkill.exe
588	taskkill.exe
2484	taskkill.exe
1972	taskkill.exe
1928	taskkill.exe
2768	taskkill.exe
2716	taskkill.exe
1296	taskkill.exe
3060	taskkill.exe
1752	taskkill.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\InProcServer32	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml3.dll"	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\ProgID\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\0\win32\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\VersionIndependentProgID\ = "Msxml2.DOMDocument"	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\ProgID	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\0	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\HELPDIR\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\ = "Cejizofma class"	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\TypeLib\	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\Version	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\VersionIndependentProgID\	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\HELPDIR	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\HELPDIR\ = "%SystemRoot%\\ehome\\CreateDisc\\"	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\ = "SBEServer 1.0 Type Library"	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\0\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\0\win32\ = "%SystemRoot%\\ehome\\CreateDisc\\SBEServer.exe"	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\FLAGS\ = "0"	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\ProgID\ = "Msxml2.DOMDocument"	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\0\win32	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\TypeLib	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\Version\ = "3.0"	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\VersionIndependentProgID	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\FLAGS\	FMAI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}\1.0\FLAGS	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\Version\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\InProcServer32\	FMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF28FDD8-ECED-4E29-0180-F484B8E1C9E0}\TypeLib\ = "{1CA07F0C-E3F4-D6E9-CB13-8FDAD013972E}"	FMAI.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2232	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	taskkill.exe
Token: 33	2080	FMAI.exe
Token: SeIncBasePriorityPrivilege	2080	FMAI.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe
2080	FMAI.exe
2080	FMAI.exe
2080	FMAI.exe
2080	FMAI.exe
2080	FMAI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2780	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2780	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2780	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2780	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	30
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1804	2400	fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe	32
PID 2780 wrote to memory of 2604	2780	cmd.exe	33
PID 2780 wrote to memory of 2604	2780	cmd.exe	33
PID 2780 wrote to memory of 2604	2780	cmd.exe	33
PID 2780 wrote to memory of 2604	2780	cmd.exe	33
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 1804 wrote to memory of 2080	1804	Install.exe	34
PID 2780 wrote to memory of 1436	2780	cmd.exe	36
PID 2780 wrote to memory of 1436	2780	cmd.exe	36
PID 2780 wrote to memory of 1436	2780	cmd.exe	36
PID 2780 wrote to memory of 1436	2780	cmd.exe	36
PID 2780 wrote to memory of 2892	2780	cmd.exe	37
PID 2780 wrote to memory of 2892	2780	cmd.exe	37
PID 2780 wrote to memory of 2892	2780	cmd.exe	37
PID 2780 wrote to memory of 2892	2780	cmd.exe	37
PID 2780 wrote to memory of 2716	2780	cmd.exe	88
PID 2780 wrote to memory of 2716	2780	cmd.exe	88
PID 2780 wrote to memory of 2716	2780	cmd.exe	88
PID 2780 wrote to memory of 2716	2780	cmd.exe	88
PID 2780 wrote to memory of 2528	2780	cmd.exe	39
PID 2780 wrote to memory of 2528	2780	cmd.exe	39
PID 2780 wrote to memory of 2528	2780	cmd.exe	39
PID 2780 wrote to memory of 2528	2780	cmd.exe	39
PID 2780 wrote to memory of 2816	2780	cmd.exe	40
PID 2780 wrote to memory of 2816	2780	cmd.exe	40
PID 2780 wrote to memory of 2816	2780	cmd.exe	40
PID 2780 wrote to memory of 2816	2780	cmd.exe	40
PID 2780 wrote to memory of 2764	2780	cmd.exe	41
PID 2780 wrote to memory of 2764	2780	cmd.exe	41
PID 2780 wrote to memory of 2764	2780	cmd.exe	41
PID 2780 wrote to memory of 2764	2780	cmd.exe	41
PID 2780 wrote to memory of 2460	2780	cmd.exe	42
PID 2780 wrote to memory of 2460	2780	cmd.exe	42
PID 2780 wrote to memory of 2460	2780	cmd.exe	42
PID 2780 wrote to memory of 2460	2780	cmd.exe	42
PID 2780 wrote to memory of 1148	2780	cmd.exe	43
PID 2780 wrote to memory of 1148	2780	cmd.exe	43
PID 2780 wrote to memory of 1148	2780	cmd.exe	43
PID 2780 wrote to memory of 1148	2780	cmd.exe	43
PID 2780 wrote to memory of 1972	2780	cmd.exe	44
PID 2780 wrote to memory of 1972	2780	cmd.exe	44
PID 2780 wrote to memory of 1972	2780	cmd.exe	44
PID 2780 wrote to memory of 1972	2780	cmd.exe	44
PID 2780 wrote to memory of 1752	2780	cmd.exe	45
PID 2780 wrote to memory of 1752	2780	cmd.exe	45
PID 2780 wrote to memory of 1752	2780	cmd.exe	45
PID 2780 wrote to memory of 1752	2780	cmd.exe	45
PID 2780 wrote to memory of 2504	2780	cmd.exe	46
PID 2780 wrote to memory of 2504	2780	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa2d9d5d52a3cb9c7a4d4b8040400c2e_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\avkill.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32kui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nod32krn.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgrsx.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgtray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgwdsvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgctrl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgserv9schedapp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswUpdSv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im savscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im symwsc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im navw32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im norton_av.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im nortonav.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccsetmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ccevtmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avadmin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcenter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgnt.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avguard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avnotify.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avscan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guardgui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamscan.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamTray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im clamWin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im freshclam.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oladdin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sigtool.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im w9xpopen.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Wclose.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmgrdian.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oladdin.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alogserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mcshield.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vshwin32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconsol.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vsstat.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avsynmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcenter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avcmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avconfig.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im guardgui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im licmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sched.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im preupd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSASCui.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im zlclient.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kill /t REG_SZ /d c:\windows\patch.bat
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2232
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\28463\FMAI.exe
    "C:\Windows\system32\28463\FMAI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avkill.bat

Filesize
2KB

MD5
ad0c7fbb59e4e600d30216ddbb638207

SHA1
fc710fd9d23faf4fd2cfb435daa080d8c5796208

SHA256
72f5373de1b56524964db0189278dfcb4f0a94c13076c3949a95fc7416e2eff2

SHA512
b80e267dd4b9c8f6e1cad39e1ea16db512f7653d92fedb74f4a4a7d9f7e0870b8778d0601e48f898bbdea26542d1174ea5284b018c6b912316ee3bb11f75dfcb

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
648feddb208db216b8be490d475146bf

SHA1
6d547d942da9ef7f3111a0745b0fad4a97b1b404

SHA256
4391727a8c5ed483bf592fe3171fbc42b877200c9a2403088f83ec21952ede79

SHA512
4a37be1ceec3f44cdf2622b51a9cbf7d5180fae183c2711abffcaa1dbc82af3775220190a24465f4b59603bd621ae51f62cd626c9d90eab0a4ae4afa7b99e254

Download Submit
C:\Windows\SysWOW64\28463\FMAI.001

Filesize
496B

MD5
925d1f085ea4a8997a5daa88ce9d5643

SHA1
c6c321ed94111dc87e94b8cdd2467f7aa365c6f2

SHA256
7c753e149facbabdb00d37b40e5c40792399047ac8ff31b2f0ca1c1c5e9b7b42

SHA512
0015a534787cf2ea989ad49b7ed9a0eaff06c460fdbb80dad617b3640175fc4560aacba7d04d15258515c8f66d1d0d070c41353ce0877f6f22bce65e0349510e

Download Submit
C:\Windows\SysWOW64\28463\FMAI.006

Filesize
8KB

MD5
360b14c3227386ff9e299f3bad1d8fec

SHA1
a8e2bec61fd4c2618389fd23586900cc404b9d8a

SHA256
5dfc62f7fc701c557c62416dee7540d2a45b526b7efb7291b3fbcb0bb4e4d442

SHA512
a318e16a4a3c0a076ec1f543bca97cf83ec327896e22fee660aecb41e670c6d2cda236826414e22cfb618372a3f6d5d3cb77e3fd49d077e668a01a7f4b5ac856

Download Submit
C:\Windows\SysWOW64\28463\FMAI.007

Filesize
5KB

MD5
42ee3ebaf18135e753ab0db26d1b28f4

SHA1
024b66eab8e508a0d0e796e0ee89fc942c159e1a

SHA256
b17fcb0abc3f70e4f2ef0ee2dba273d69292e545d11af46fa703856d90ff0a49

SHA512
5dc5ddaeb304a8deda52c376d8ffb20b94136528d7c3a3ba6e0723348893afddac42db48328547a5d8dd4c0c063ae54df984c10aad6a0a8c55a65055ab21bcd7

Download Submit
C:\Windows\SysWOW64\28463\FMAI.exe

Filesize
649KB

MD5
5936b661a9d756842f05f7ec65e22e3f

SHA1
7032ca05030f29bccc39f5e46f4e08254126e6dc

SHA256
7dc9d0f14ff3432f9132a9ff2a43577326ebbf861e7ebef9831a9a8f14838c90

SHA512
3b0829f8da6e8aa13b0c8449e6aaecdd4e232448c9a470ad1c67e04518896c7ac0849e66de9f4aa6b8d169d1bd4d0ee8d801a9251330b3f711922bcf197577d1

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@5B88.tmp

Filesize
4KB

MD5
b6db0d187b544305516561e7b8ec0ff9

SHA1
c99b513edadfd47f0be8749d63bc792c854b488b

SHA256
789226f32a4f36dda193bd8180bfff7ac5ac665eccacbd3d8916d4030bbcac18

SHA512
61905af678a59d495a526ceef494ef1b905abeab20bdf9f8970b92cd3d38e42cfd5968f4c5ecbde78e615a971c204d4c72e1c6b32f8938ae1c8a20aec8fe234e

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
786KB

MD5
a07138d437d5c9db356edadc83c42c10

SHA1
eaad11083cbe9e718f706ed70c885591dba9bb1e

SHA256
d4d305c341bd4f20b64d386c9e3caa548006d36972c86b8186570f5f6dd700ef

SHA512
c619f10b06323d192c15b2997d3c84add0a5c7be3d8c391088e43a30004633cfb25ab6ee151c1b9beb73cf36700c9e9aafbba56de168667c20d033ab167aff9a

Download Submit
memory/1804-42-0x0000000002940000-0x0000000002A1F000-memory.dmp

Filesize
892KB

Download
memory/2080-43-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2080-59-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2080-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2080-51-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/2080-50-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/2080-60-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/2080-61-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/2400-23-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/2400-1-0x00000000006A0000-0x0000000000797000-memory.dmp

Filesize
988KB

Download
memory/2400-2-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2400-3-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2400-6-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/2400-8-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/2400-0-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download